Status code upon login failures is not 401

fixundfertig123

Hello everyone,

Upon log file analysis I observerd that entering incorrect passwords / usernames does not result in 401 response code in the NGINX/Apache2 log file, but only a 200 with an verbal “Logon failed. Please verify your credentials and try again”.

When entering wrong password my reverse proxy recieves from webapp:
AAA.BBB.CCC.EEE - - [11/Apr/2020:12:56:16 +0200] “POST /webapp/?logon HTTP/1.1” 200 3096 “https://XXX/webapp/?logon” “Mozilla/5.0 (Linux; Android 7.0; DEVICENAME) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.xxx.xxx.xxx Safari/537.36”

Looking into the WebAPP Apache2 access log states:
AAA.BBB.CCC.EEE - - [11/Apr/2020:12:56:16 +0200] “POST /webapp/?logon HTTP/1.1” 200 3550 “https://XXX/webapp/?logon” “Mozilla/5.0 (Linux; Android 7.0; DEVICENAME) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.xxx.xxx.xxx Safari/537.36”

Looking into the WebAPP Apache2 error log reveals:
[Sat Apr 11 12:56:16.087556 2020] [:error] [pid 22604] [client AAA.BBB.CCC.EEE:49738] Kopano WebApp user: username@XXX.de: authentication failure at MAPI, referer: https://XXX/webapp/?logon

Anyone else oberserving this? This causes some problems when establishing security mechanism like fail2ban, …

All involved server are:
Description: Debian GNU/Linux 9.12 (stretch)
Release: 9.12
Codename: stretch
WebApp: 3.5.14.2539+111.1
Kopano Core: 8.7.9

I appreciate any help.

fixundfertig123

Hi,

no one experiencing this problem?

Best