dovecot_plain authenticator failed for and executable attachment "ForwardedMessage.eml

3awh

Well-Known Member
Sep 1, 2008
60
5
58
WWW
I just move my clients to a new server.
I have dovecot and Exim
CSF and imunify360

I get a lot of emails about lfd on jds1.3aliXXXXXXXX.com: blocked XX.68.245.XX (US/United States/c-XX-68-245-xx.hsd1.xx.xxxxxxx.net)

Time: Fri Jul 8 11:59:08 2022 -0400
IP: XX.68.245.XX (US/United States/c-XX-68-245-xx.hsd1.xx.xxxxxxx.net)
Failures: 5 (smtpauth)
Interval: 3600 seconds
Blocked: Permanent Block [LF_SMTPAUTH] (IP match in csf.allow, block may not work)

Log entries:

2022-07-08 11:31:03 dovecot_plain authenticator failed for c-xx.68-245-xx.hsd1.xx.xxx.net ([IPv6:::ffff:192.168.1.2]) [XX.68.245.XX]:62954: 535 Incorrect authentication data (set_id=[email protected])
2022-07-08 11:31:09 dovecot_login authenticator failed for c-xx.68-245-xx.hsd1.xx.xxx.net ([IPv6:::ffff:192.168.1.2]) [XX.68.245.XX]:62954: 535 Incorrect authentication data (set_id=[email protected])
2022-07-08 11:31:15 dovecot_plain authenticator failed for c-xx.68-245-xx.hsd1.xx.xxx.net ([IPv6:::ffff:192.168.1.2]) [XX.68.245.XX]:62956: 535 Incorrect authentication data (set_id=[email protected])
2022-07-08 11:31:21 dovecot_login authenticator failed for c-xx.68-245-xx.hsd1.xx.xxx.net ([IPv6:::ffff:192.168.1.2]) [XX.68.245.XX]:62956: 535 Incorrect authentication data (set_id=[email protected])
2022-07-08 11:59:03 dovecot_plain authenticator failed for c-xx.68-245-xx.hsd1.xx.xxx.net ([IPv6:::ffff:192.168.1.2]) [XX.68.245.XX]:63107: 535 Incorrect authentication data (set_id=[email protected])


My client said when he forwards messages he get a return failure.


This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
This message has been rejected because it has
a potentially executable attachment "ForwardedMessage.eml"
This form of attachment has been used by
recent viruses or other malware.
If you meant to send this file then please
package it up as a zip file and resend it.
[email protected]
This message has been rejected because it has
a potentially executable attachment "ForwardedMessage.eml"
This form of attachment has been used by
recent viruses or other malware.
If you meant to send this file then please
package it up as a zip file and resend it.


Reporting-MTA: dns; XXXX.3alienswebXXXXXX.com

Action: failed
Final-Recipient: rfc822;XXXX.3alienswebXXXXXX.com
Status: 5.0.0

Action: failed
Final-Recipient: rfc822;[email protected]
Status: 5.0.0

ForwardedMessage.eml
Subject:
Fwd: Mail delivery failed: returning message to sender
From:
rick XXXXXX <[email protected]>
Date:
7/8/2022, 1:56 PM
To:
3 Aliens Web Hosting <XXXX.3alienswebXXXXXX.com>
CC:
Rob XXXXXXXX <[email protected]>

when he sends it from his personal ISP email it goes through fine.
His IP is also listed on: SORBS DUHL and Spamhaus ZEN

Mitch
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,498
1,971
363
cPanel Access Level
Root Administrator
Hey there! In general, many applications now just block .eml attachments because they get used for viruses frequently. If a new machine already has the IPs on a blacklist, you'll want to contact your hosting provider or datacenter and let them know about it. They will likely be able to help get them removed, or provider you with alternative IP address for sending mail that doesn't have that issue.
 

3awh

Well-Known Member
Sep 1, 2008
60
5
58
WWW
Thank you for your fast reply
The IPs on the black list are my clients. and was wondering if there was something I did to cause it?
The machine IPs are clean.
Is there something I did as far as a config to get these messages?
I had to white-list him so he could get his email.

would him be Listed cause the block on my server?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,498
1,971
363
cPanel Access Level
Root Administrator
It's normal for individual user IPs from your ISP to be on blacklists, as those addresses shouldn't be sending mail.

As far as the LFD notifications, the CSF/LFD service is a third-party firewall tool that isn't controlled by cPanel, so you'd need to adjust that software to change the notifications or settings.
 

3awh

Well-Known Member
Sep 1, 2008
60
5
58
WWW
If there was no problem I would not get a message no?
It's blocking his IP because he's checking mail and there is something wrong with the login system for email just in his account.
I even logged into his home computer with Teamviewer and checked all his settings for that one email and everything is good.
I even Terminated his online account and recreated it and reuploaded his website still getting that message.
The only thing stopping him from being blocked in the firewall is I have him whitelisted and that's why I get that message above.
I'm at a loss

Mitch