The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cannot login to specific email account

Discussion in 'E-mail Discussions' started by limneos, Jan 27, 2014.

  1. limneos

    limneos Member

    Joined:
    Mar 21, 2004
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Hello. I noticed yesterday that two of my server's accounts were probably compromised as remote connections from all over the world were authenticating correctly for those email accounts and sending mail outside. (probably the users had too simple passwords set for their email accounts).

    Anyway, my server was being used for spam.

    I took several steps to secure this, changing the main account password, changing all the /email/ accounts passwords etc.

    However, while doing all these steps, I also deleted the mail directory in /home/accountname/mail and saw it being successfully recreated after a while . I also removed all mail accounts for the compromised domains and re set them up.

    The problem is that now, I cannot login to the previously compromised emails. I can login to a new account if I create one on the same domain, but I cannot login at all to the two compromised emails.

    (btw , there are still numerous attempts per second from several IPs all over the world, to send mail using those two accounts , which, since I changed the passwords, all fail with "authenticator error")

    So have they been blacklisted somehow?
    I even increased the number of failed attempts , restarted exim, tried to login , still I can't login to those two accounts.

    Those are the only two accounts that I cannot login to. They both are info@xxx.gr though,but I don't think it has any difference .

    I thought I could have caused an exim problem since I deleted the mail directory, but a) it was recreated b) any other email account in the same domain works even after that, even if I create a new one.

    I'm attaching a screenshot of my mail's "Tweak Settings"


    Any ideas anyone?

    Thank you in advance.
     

    Attached Files:

  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    To clarify, did you only remove the "mail" directory, or did you also remove the "etc" directory within the account? Did you re-create the email accounts after removing the "mail" directory? Have you tried deleting an email account that is failing to login, and then re-creating it to see if you experience different results?

    Also, check to make sure the email accounts are not locked by cPHulk brute force detection.

    Thank you.
     
  3. limneos

    limneos Member

    Joined:
    Mar 21, 2004
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Hello, and thanks for the reply.

    No, I didn't remove the etc directory.

    To help things come back into place,I also ran a software update afterwards, /scripts/mailperm and /scripts/updateuserdomains.

    Yes, I did delete all accounts, especially those that were failing to login multiple times and recreated them.

    Your hint about cPHulk brute force detection actually helped... but its still weird:

    Brute Force Detection is full of failed login entries for those 2 email accounts, but my IP was not listed in those.
    After whitelisting my IP address though, I can now login to that account... I still can't figure out how could I login to the other accounts but not to those particular two...

    Thanks a lot , I guess its been a blacklisting issue after all but I couldn't figure out where to look for it.
     
    #3 limneos, Jan 27, 2014
    Last edited: Jan 27, 2014
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Yes, cPHulk will prevent authentication to the email account itself, not just the IP addresses that were brute forcing it. Adding your IP address to the whitelist should resolve the issue.

    Thank you.
     
Loading...

Share This Page