Cannot login to specific email account

[limneos]

Hello. I noticed yesterday that two of my server's accounts were probably compromised as remote connections from all over the world were authenticating correctly for those email accounts and sending mail outside. (probably the users had too simple passwords set for their email accounts).

Anyway, my server was being used for spam.

I took several steps to secure this, changing the main account password, changing all the /email/ accounts passwords etc.

However, while doing all these steps, I also deleted the mail directory in /home/accountname/mail and saw it being successfully recreated after a while . I also removed all mail accounts for the compromised domains and re set them up.

The problem is that now, I cannot login to the previously compromised emails. I can login to a new account if I create one on the same domain, but I cannot login at all to the two compromised emails.

(btw , there are still numerous attempts per second from several IPs all over the world, to send mail using those two accounts , which, since I changed the passwords, all fail with "authenticator error")

So have they been blacklisted somehow?
I even increased the number of failed attempts , restarted exim, tried to login , still I can't login to those two accounts.

Those are the only two accounts that I cannot login to. They both are [email protected] though,but I don't think it has any difference .

I thought I could have caused an exim problem since I deleted the mail directory, but a) it was recreated b) any other email account in the same domain works even after that, even if I create a new one.

I'm attaching a screenshot of my mail's "Tweak Settings"


Any ideas anyone?

Thank you in advance.

 

[cPanelMichael]

Hello

To clarify, did you only remove the "mail" directory, or did you also remove the "etc" directory within the account? Did you re-create the email accounts after removing the "mail" directory? Have you tried deleting an email account that is failing to login, and then re-creating it to see if you experience different results?

Also, check to make sure the email accounts are not locked by cPHulk brute force detection.

Thank you.

 

[limneos]

Hello, and thanks for the reply.

No, I didn't remove the etc directory.

To help things come back into place,I also ran a software update afterwards, /scripts/mailperm and /scripts/updateuserdomains.

Yes, I did delete all accounts, especially those that were failing to login multiple times and recreated them.

Your hint about cPHulk brute force detection actually helped... but its still weird:

Brute Force Detection is full of failed login entries for those 2 email accounts, but my IP was not listed in those.
After whitelisting my IP address though, I can now login to that account... I still can't figure out how could I login to the other accounts but not to those particular two...

Thanks a lot , I guess its been a blacklisting issue after all but I couldn't figure out where to look for it.

 

[cPanelMichael]

Yes, cPHulk will prevent authentication to the email account itself, not just the IP addresses that were brute forcing it. Adding your IP address to the whitelist should resolve the issue.

Thank you.