Exim logs filled with dovecot_login fails

NOC SZ

Member
Sep 13, 2017
7
0
1
Dubai
cPanel Access Level
Root Administrator
I m getting the below in my exim_mainlog
Code:
==================
2019-04-14 03:37:18 dovecot_login authenticator failed for (server.com) [178.128.xx.xxx]:57038: 535 Incorrect authentication data ([email protected])
2019-04-14 03:37:18 SMTP connection from (server.com) [178.128.xx.xxx]:57038 lost (error: Connection reset by peer) D=1s
2019-04-14 03:37:45 SMTP connection from [142.93.xxx.xx]:41656 (TCP/IP connection count = 1)
2019-04-14 03:37:45 no host name found for IP address 142.93.xxx.xx
==================
and there are lot of these entries.
The domain(or subdomain) some.domain.ns.ca is pointing to my ip which is not my domain.
How can I get rid of this?
Is it any kind of attack?

Please help.
 
Last edited by a moderator:

NOC SZ

Member
Sep 13, 2017
7
0
1
Dubai
cPanel Access Level
Root Administrator
Thank you @cPanelMichael
Unfortunately the thread you have shared doesn't answer my question, in fact there is no perfect solution in that thread.

Is it possible to block the domain town.example.com before they make an attempt for smtp login?
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Hello @NOC SZ,

You can't do this with any existing cPanel & WHM features, but you could setup a custom regular expression rule in CSF (a free firewall management plugin) to automatically block IP addresses that attempt to use "town.example.tld" as the email account username. Here's the link to the thread on the CSF forums that shows examples of how to do this:

Custom REGEX rules for CSF. - ConfigServer Community Forum

Thank you.
 

NOC SZ

Member
Sep 13, 2017
7
0
1
Dubai
cPanel Access Level
Root Administrator
Thanks again for your help @cPanelMichael

I tried that already and blocking the IPs at the very first attempt. But each time they are coming with a new IP which makes this action less useful.
Any other means like change exim configs or anything to get rid of this?
I think there are more people out there having same issue?