Exim logs filled with dovecot_login fails

NOC SZ · Apr 18, 2019

I m getting the below in my exim_mainlog

Code:

==================
2019-04-14 03:37:18 dovecot_login authenticator failed for (server.com) [178.128.xx.xxx]:57038: 535 Incorrect authentication data ([email protected])
2019-04-14 03:37:18 SMTP connection from (server.com) [178.128.xx.xxx]:57038 lost (error: Connection reset by peer) D=1s
2019-04-14 03:37:45 SMTP connection from [142.93.xxx.xx]:41656 (TCP/IP connection count = 1)
2019-04-14 03:37:45 no host name found for IP address 142.93.xxx.xx
==================

and there are lot of these entries.
The domain(or subdomain) some.domain.ns.ca is pointing to my ip which is not my domain.
How can I get rid of this?
Is it any kind of attack?

Please help.

cPanelMichael · Apr 18, 2019

Hello @NOC SZ,

You can find discussion of this topic along with some suggestions on how to block the login attempts on the following thread:

Block login attempts on specific domain

Thank you.

NOC SZ · Apr 22, 2019

Thank you @cPanelMichael
Unfortunately the thread you have shared doesn't answer my question, in fact there is no perfect solution in that thread.

Is it possible to block the domain town.example.com before they make an attempt for smtp login?

cPanelMichael · Apr 23, 2019

Hello @NOC SZ,

You can't do this with any existing cPanel & WHM features, but you could setup a custom regular expression rule in CSF (a free firewall management plugin) to automatically block IP addresses that attempt to use "town.example.tld" as the email account username. Here's the link to the thread on the CSF forums that shows examples of how to do this:

Custom REGEX rules for CSF. - ConfigServer Community Forum

Thank you.

NOC SZ · Apr 24, 2019

Thanks again for your help @cPanelMichael

I tried that already and blocking the IPs at the very first attempt. But each time they are coming with a new IP which makes this action less useful.
Any other means like change exim configs or anything to get rid of this?
I think there are more people out there having same issue?

cPanelMichael · Apr 25, 2019

Hello @NOC SZ,

You'll need to block the IP addresses at the firewall level if you want to block the connection attempts before the request is sent. You can see a list of system administration service providers on the link below should you require a custom solution:

System Administration Services | cPanel Forums

Thank you.

Thread starter	Similar threads	Forum	Replies	Date
S	Blackhole on exim logs	Email	4	Apr 21, 2021
M	Legitimate messages going into exim_rejectlogs	Email	2	Mar 20, 2020
H	Bounced emails from Office 365 not appearing in EXIM logs	Email	3	Apr 15, 2016
	Exim Logs	Email	1	Mar 18, 2015
C	Reading Exim logs to figure out Local relay alert	Email	2	Oct 21, 2014

Search

Search

Exim logs filled with dovecot_login fails

NOC SZ

Member

cPanelMichael

Administrator

NOC SZ

Member

cPanelMichael

Administrator

NOC SZ

Member

cPanelMichael

Administrator