Hello to all!
Sorry if this question has already been asked, I did a lot of searching and googling, but couldn't solve this problem. Feel free to point me to any link. My WHM version is 11.32.3 (build 21), running on Centos 6.3. Using Dovecot and Exim. In advance, sorry for long post, I'm trying to give as much info as I can
Two weeks ago one of our client's cPanel account has been hacked, among other things spammers used it for emails and put us on blacklists. After resolving that issue, I spent some time hardening my server, changing security options in "Tweak Settings" and "Exim configuration". Among other things, I enabled RBL checks. Now, I'm facing another problem:
Several clients have reported that they cannot login to Webmail or email clients. They can reach our server and login form, but after inserting correct u/p they receive "Login failed. Wrong user/password"-like error. Using the same credentials, I can login with no problems (note: I'm loggin in from totally diffrent IP range). These are the lines from logs:
maillog:
-----------
Jul 20 07:24:23 creator dovecot: imap-login: Disconnected (auth failed, 3 attempts): user=<[email protected]>, method=PLAIN, rip=109.x.x.x, lip=88.x.x.x, TLS
exim_mainlog shows that email are successfully sent/delivered:
---------
2012-07-20 12:32:21 1SsAVR-00024W-8p => office <[email protected]> R=virtual_user T=virtual_userdelivery
2012-07-20 12:32:21 1SsAVR-00024W-8p Completed
exim_rejectlog:
--------
2012-07-20 08:53:08 dovecot_plain authenticator failed for ([127.0.0.1]) [109.x.x.x]:29120: 535 Incorrect authentication data ([email protected])
And, yes - their IP 109.x.x.x is blacklisted in Barracuda and several others. So, as far as I see, RBLs are doing just fine
Anyway, in order to prevent clients from leaving us, I've decided to remove all the security measures I made, disabling RBL as well. Their IP is not listed in firewall/hosts.deny. But, they still cannot login to webmail, the same Auth error and log entries.
Can you give me some advice, what else and more to do? Did I miss some security options?
Thank you in advance!
Best regards!
Sorry if this question has already been asked, I did a lot of searching and googling, but couldn't solve this problem. Feel free to point me to any link. My WHM version is 11.32.3 (build 21), running on Centos 6.3. Using Dovecot and Exim. In advance, sorry for long post, I'm trying to give as much info as I can
Two weeks ago one of our client's cPanel account has been hacked, among other things spammers used it for emails and put us on blacklists. After resolving that issue, I spent some time hardening my server, changing security options in "Tweak Settings" and "Exim configuration". Among other things, I enabled RBL checks. Now, I'm facing another problem:
Several clients have reported that they cannot login to Webmail or email clients. They can reach our server and login form, but after inserting correct u/p they receive "Login failed. Wrong user/password"-like error. Using the same credentials, I can login with no problems (note: I'm loggin in from totally diffrent IP range). These are the lines from logs:
maillog:
-----------
Jul 20 07:24:23 creator dovecot: imap-login: Disconnected (auth failed, 3 attempts): user=<[email protected]>, method=PLAIN, rip=109.x.x.x, lip=88.x.x.x, TLS
exim_mainlog shows that email are successfully sent/delivered:
---------
2012-07-20 12:32:21 1SsAVR-00024W-8p => office <[email protected]> R=virtual_user T=virtual_userdelivery
2012-07-20 12:32:21 1SsAVR-00024W-8p Completed
exim_rejectlog:
--------
2012-07-20 08:53:08 dovecot_plain authenticator failed for ([127.0.0.1]) [109.x.x.x]:29120: 535 Incorrect authentication data ([email protected])
And, yes - their IP 109.x.x.x is blacklisted in Barracuda and several others. So, as far as I see, RBLs are doing just fine
Anyway, in order to prevent clients from leaving us, I've decided to remove all the security measures I made, disabling RBL as well. Their IP is not listed in firewall/hosts.deny. But, they still cannot login to webmail, the same Auth error and log entries.
Can you give me some advice, what else and more to do? Did I miss some security options?
Thank you in advance!
Best regards!
