The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SMTP connection from (localhost.localdomain)

Discussion in 'E-mail Discussions' started by TCC, Apr 3, 2015.

  1. TCC

    TCC Member

    Joined:
    Mar 27, 2015
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    I have continuous connections from different ips with this helo. Blacklisting the ip in cphulk and the smtp blacklist has no effect.
    Code:
    SMTP connection from [xxx.xxx.xxx.xxx]:43659 I=[xxx.xxx.xxx.xxx]:587 (TCP/IP connection count = 1)
    SMTP protocol error in "AUTH LOGIN" H=(localhost.localdomain) [xxx.xxx.xxx.xxx]:43659 I=[xxx.xxx.xxx.xxx]:587 AUTH command used when not advertised
    SMTP connection from (localhost.localdomain) [xxx.xxx.xxx.xxx]:43659 I=[xxx.xxx.xxx.xxx]:587 lost
    no MAIL in SMTP connection from (localhost.localdomain) [xxx.xxx.xxx.xxx]:43659 I=[xxx.xxx.xxx.xxx]:587 D=4s C=EHLO,AUTH,RSET 
    
    If I block based on helo, and add localhost.localdomain to the blocklist, will it cause problems, or just drop the connection from all these ips using localhost.localdomain?
     
  2. TCC

    TCC Member

    Joined:
    Mar 27, 2015
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    I've set up the heloblocks as described in this thread
    https://forums.cpanel.net/threads/how-to-block-based-on-helo-in-exim-advanced-editor.461451/
    and added localhost.localdomain and USER to the list and the hundreds of connections have stopped. One of the ips changed the helo from localhost.localdomain after being blocked to USER so that's why I've added it, and changed the message to denied. No point in giving them hints on what they need to do to get around it. There have been around 750 connections with these helos a day, none legit.

    I've tested Horde, smtp email from the sites on the server and email remotely and so far no issues. I'll keep an eye on the logs and if I run into an issue, I'll post back. For now at least, problem solved.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    650
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    I am happy to see you were able to find a useable solution. Note that you may want to block those IP addresses in a firewall if the same ones continue to make connection attempts.

    Thank you.
     
  4. TCC

    TCC Member

    Joined:
    Mar 27, 2015
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    A firewall would be ideal, but unfortunately CSF won't run on this VPS. I've tried all the installation tweaks I can find but have had no luck.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    650
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You may want to consult with CSF's support forums (forum.configserver.com) or consider an alternative firewall such as APF.

    Thank you.
     
Loading...

Share This Page