Log full of failed authentications

It’s not so easy to explain, but anyway …

I have a nethserver 6.9 NG that is joined to a Miscrosoft AD domain and all the mail users are authenticated on the MS DCs.

On this mail server I have both sogo and webtop 4 installed.

I activated the login audit on the domain and after that I got the event viewer full of events of failed authentication (actually kerberos pre-authentication failed) . Each event in the DC log correspond to a line into the /var(log/imap log file on the nethserver.

Oct 20 21:32:58 fo-mail dovecot: imap-login: Disconnected (auth failed, 1 attempts in 4 secs): user=<c.bosticco>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=</e8Miv9blAB/AAAB>
Oct 20 21:33:07 fo-mail dovecot: imap-login: Disconnected (auth failed, 1 attempts in 9 secs): user=<e.benfatto>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<aZRKiv9bmAB/AAAB>
Oct 20 21:33:19 fo-mail dovecot: imap-login: Disconnected (auth failed, 1 attempts in 12 secs): user=<f.barroero>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=<Qg3Riv9boAB/AAAB>

This is due to an automated process coming from the mail server and happens about every 2 minutes (i suspect webtop after reading this thred), so I wonder if there is a way to avoid getting all this mess. It make reading logs, and eventually investigate on abuses, very confusing because there are a lot of failed authentications not due to real users logon try.

Also we cannot implement user lockout policy.

Can you help ?

Frankly I cannot remember if webtop4 supported a remote AD as user source.

Let’s ask our experts /cc @lucag @gabriele_bulfon @giacomo

I bet this is the thread looking for the scheduled emails (the ones you can send at a specific date/hour.
Maybe there is something missing in the configuration to allow this to work?

any news on it ?