Hi every 7 secs I am getting a RULE 60921 notification for the xxxxxxxxx-1 Plesk/Courier authd[36161]: No such user `joey@co.uk` in mail authorisation database

and so on.

When I go to manage the rule its displayed as null with option to actively shun as per the rule / ip.

Is their anyway to update a rule to combat this as I have been getting bombarded by these over the last few days with no option to manage the rule specifically as its denoted as null:

17 June
08:16:46
xxxxxxxxx-1
13
60921

xxxxxxxxx-1 Plesk/Courier authd[36161]: No such user `joey@ co.uk` in mail authorization database
08:16:36
xxxxxxxxx-1
13
60921

< snipped due to lots of entries >

Thanks for the question, I'm not sure what you want to do. Do you want to disable the rule?

Hi Mike,

it different ip triggering the rule and I would like to shun the IPS but when i click on "Manage rule" their no defining rule to amend - its just listed as null.

Is their a way to create a rule where i can choose to shun etc the rule which could be named multiple mail authorisation errors or something ?

Not at this time, descriptions are lost when the rule is modified.

You cant shun on that log event because there is no IP to shun. For example:

xxxxxxxxx-1 Plesk/Courier authd[36161]: No such user `joey@ co.uk` in mail authorization database

If thats all that is logged, and theres nothing else (like perhaps a different service that sees the IP) then there nothing you or we can do with that information. Its useless, theres no source information in that line, so theres nothing to shun.

Are there other log events that list the source IP by any chance?

HI Mike,

sorry you do get IP addys as per below.

the rule thats triggering it is Rule:3901 - New courier (imap/pop3) connection.

I obviously wouldn't want to shun every new connection to pop3 / imap but could a new rule be tweaked that allows a user to shun an ip triggering 60921 where no such user exists in the mail authorization database ?

So rule 3911 can help you out here, it will shun on multiple courier connections (20 in 30 seconds from the same IP). Just set 3911 to shun and you'll be set (3911 is a lower level alert and does not shun by default, which is also why you dont see it by default if your level is set to the default).

Unfortunately plesks authd doesnt record anything about the source (which is really silly, why bother logging the event then), so you have to shun on the courier events.

Hi Mike,

thanks for that, after some rule tweaking and adding some extra supplementary rules I seem to have go it under control.

And yes Plesk does have some complete silly quirks for sure.

On a side not, why does a rule change to null after its edited ?

Is their a way to stop or is this hardcoded into ASL - Sorry for the silly question but just win I think I get it, I dont lol

At the moment its because we're not running it through the database. It makes a 2nd rule to override the first one, a better/longer to write/more complicated way to do it is to regenerate the rule class from the database.

Is this something pencilled in for the future or is the performance hit to great ?

Yup its on the list, no performance hit. It just makes ASL Web a requirement, which we had tried to avoid in the past.