Exim logs filled with dovecot_login fails

NOC SZ

Member
Sep 13, 2017
7
0
1
Dubai
cPanel Access Level
Root Administrator
I m getting the below in my exim_mainlog
Code:
==================
2019-04-14 03:37:18 dovecot_login authenticator failed for (server.com) [178.128.xx.xxx]:57038: 535 Incorrect authentication data ([email protected])
2019-04-14 03:37:18 SMTP connection from (server.com) [178.128.xx.xxx]:57038 lost (error: Connection reset by peer) D=1s
2019-04-14 03:37:45 SMTP connection from [142.93.xxx.xx]:41656 (TCP/IP connection count = 1)
2019-04-14 03:37:45 no host name found for IP address 142.93.xxx.xx
==================
and there are lot of these entries.
The domain(or subdomain) some.domain.ns.ca is pointing to my ip which is not my domain.
How can I get rid of this?
Is it any kind of attack?

Please help.
 
Last edited by a moderator:

NOC SZ

Member
Sep 13, 2017
7
0
1
Dubai
cPanel Access Level
Root Administrator
Thank you @cPanelMichael
Unfortunately the thread you have shared doesn't answer my question, in fact there is no perfect solution in that thread.

Is it possible to block the domain town.example.com before they make an attempt for smtp login?
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,225
463
Hello @NOC SZ,

You can't do this with any existing cPanel & WHM features, but you could setup a custom regular expression rule in CSF (a free firewall management plugin) to automatically block IP addresses that attempt to use "town.example.tld" as the email account username. Here's the link to the thread on the CSF forums that shows examples of how to do this:

Custom REGEX rules for CSF. - ConfigServer Community Forum

Thank you.
 

NOC SZ

Member
Sep 13, 2017
7
0
1
Dubai
cPanel Access Level
Root Administrator
Thanks again for your help @cPanelMichael

I tried that already and blocking the IPs at the very first attempt. But each time they are coming with a new IP which makes this action less useful.
Any other means like change exim configs or anything to get rid of this?
I think there are more people out there having same issue?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,225
463
Hello @NOC SZ,

You'll need to block the IP addresses at the firewall level if you want to block the connection attempts before the request is sent. You can see a list of system administration service providers on the link below should you require a custom solution:

System Administration Services | cPanel Forums

Thank you.