How to deal with and email account that was deleted on server but the fired user still tries to access it?

Secmas

Well-Known Member
Feb 18, 2005
358
10
168
Hi, all!
I have this issue, a guy was fired and the owner of the cPanel account deleted the email in cPanel but never thought of asking the employee to delete the email account from all his dispositives before he leaves or to ask him for the password.

Now the customer's dispositive is trying to access the email but as the email doesn't exist anymore CSF blocks the IP because a lot of bad connections and I started to receive a lot of emails telling me about the IPs blocked because of this account.

I know I can create a filter and delete the emails before I receive them, but the issue is about the IP blocked because so many attempts to access the account CSF is blocking the IPs.

As I am in a country that the ISPs doesn't has so many IPs, chances are that the blocked IP will be in use by another of our customers.
So, How may I can do for kind of white list the email address so the IP is not blocked?

Or, if you have any other suggestion, it is welcomed.

Sergio
 

cPSamuelM

Technical Analyst Team Lead
Staff member
Nov 20, 2019
196
38
103
USA
cPanel Access Level
Root Administrator
Hello @Secmas

I'm not familiar with the word "dispositive" in English. My guess is that you're referring to email client software or devices that are periodically attempting to connect to the old, deleted email account.

One solution I can think of is to obtain a list of the IP addresses or IP address ranges that have been used to attempt to connect to this account:

grep "[email protected]" /var/log/maillog |grep -Po "(?<=rip=)[^,]+" |sort |uniq

If the list you obtain is small enough to be easily manageable, you can add the IP addresses (or ranges) to /etc/csf/csf.ignore. The result would be that failed login attempts from the IPs you add to csf.ignore will be ignored and the IP addresses will not be blocked.

Note, cPanel does not develop or support CSF/LFD and it's possible there are other features of the software that I am not aware of, which could better address your concern. I did find a forum thread in the ConfigServer community forums which discusses a similar topic: https://mail.forum.configserver.com/viewtopic.php?t=11094

I would encourage you to post about this issue in the ConfigServer community forums as their community may be aware of a better solution than I outlined above.

Best regards
 

Secmas

Well-Known Member
Feb 18, 2005
358
10
168
Thanks @cPSamuel,
sorry, yes "device" is the right word.

I created an script that releases all the IPs of my country every 15 minutes depending of how the IP was blocked and it kind of helps me to deal with this.

But thought that may be there could be a way in cPanel to left an email account to connect without checking the password but that couldn't send nor receive emails.
That will be great on this type of issues.

Sergio
 

cPSamuelM

Technical Analyst Team Lead
Staff member
Nov 20, 2019
196
38
103
USA
cPanel Access Level
Root Administrator
Hello again Sergio, no problem at all. Now I've learned a new word in Spanish!

Unfortunately Dovecot will not allow a user to login with an invalid password. However, you may be able to update the Dovecot configuration to log the password that is supplied by the device:

https://www.nixcraft.com/t/dovecot-refuses-to-log-failed-passwords/845/4

https://doc.dovecot.org/settings/core/#setting-auth-verbose-passwords

You could then possibly recreate the email account with the same password that the remote client/device is using, in order to prevent the login attempts from "failing." Note, I would not recommend this solution, however it seems as though this is what you are trying to accomplish.

Best regards
 

Secmas

Well-Known Member
Feb 18, 2005
358
10
168
Hello again Sergio, no problem at all. Now I've learned a new word in Spanish!

Unfortunately Dovecot will not allow a user to login with an invalid password. However, you may be able to update the Dovecot configuration to log the password that is supplied by the device:

https://www.nixcraft.com/t/dovecot-refuses-to-log-failed-passwords/845/4

https://doc.dovecot.org/settings/core/#setting-auth-verbose-passwords

You could then possibly recreate the email account with the same password that the remote client/device is using, in order to prevent the login attempts from "failing." Note, I would not recommend this solution, however it seems as though this is what you are trying to accomplish.

Best regards
This looks like worth a try.

I mean, make the passwords visible for a few hours while the email account tries to connect to the server and after that set it again as it was before the change.
Doing that I could get the failed password for that account and I could recreate the account with the "right" password and proceed to block the send and receive emails on the account.

Will try this tomorrow morning when I will be fresh, lol

Thank you for your help.

Sergio
 
  • Like
Reactions: cPSamuelM