The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SMTP Failures (smtpauth) -dovecot_plain authenticator failed

Discussion in 'E-mail Discussions' started by djblamire, May 21, 2014.

  1. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    Recently I have been receiving hundreds of e-mails per day for failed SMTP authentications.

    These are from many countries including Serbia, Russia, Taiwan, Vietnam, Libya and many more.

    The site is running cPanel and the sites on the server send out e-mail, but any mail clients are set to send out e-mails via our own ISP (rather than via the server).

    Is there a way to block access to any remote connections trying to send e-mail out using the server this way ?

    I'm concerned about the number of attempts being received.

    Any comments/advise appreciated.

    Thanks
    Daniel
     
  2. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    569
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    Thanks - I've had a look at the link but cannot see anything with regards to this (unless I've missed something).

    Thanks again,

    Daniel
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you clarify what specific emails you are receiving? For instance, are they notifications from a third-party application, or are these failed delivery bounces?

    Thank you.
     
  5. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    Sorry,

    I have re-read my posted message and agree it doesn't make sense.

    These are the e-mails from my firewall (Configserver Firewall) to confirm that an attempt to login via smtpauth has failed - brute force attacks.

    It isn't the e-mails themselves to me I want to block, but hoping there is a way to stop SMTP going through the server unless it is from within the server itself (if that makes sense).

    For info - Here is an example of the firewall blocked e-mails (All from different countries and IP addresses):

    Time: Wed May 21 13:34:40 2014 +0100
    IP: 116.73.48.72 (IN/India/-)
    Failures: 5 (smtpauth)
    Interval: 3600 seconds
    Blocked: Permanent Block

    Log entries:

    2014-05-21 12:50:28 dovecot_plain authenticator failed for (DELL-PC) [116.73.48.72]:57941: 535 Incorrect authentication data (set_id=support)
    2014-05-21 12:50:34 dovecot_login authenticator failed for (DELL-PC) [116.73.48.72]:57941: 535 Incorrect authentication data (set_id=support)
    2014-05-21 12:50:41 dovecot_plain authenticator failed for (DELL-PC) [116.73.48.72]:57976: 535 Incorrect authentication data (set_id=support@mydomain.com)
    2014-05-21 12:50:52 dovecot_login authenticator failed for (DELL-PC) [116.73.48.72]:57976: 535 Incorrect authentication data (set_id=support@mydomain.com)
    2014-05-21 13:34:38 dovecot_plain authenticator failed for (DELL-PC) [116.73.48.72]:51028: 535 Incorrect authentication data (set_id=support)

    Thanks
    Daniel
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I suggest blocking the IP addresses in your firewall, and using a brute force detection application such as cPHulk:

    "WHM Home » Security Center » cPHulk Brute Force Protection"

    Thank you.
     
  7. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for your fast reply.

    I'm already doing both of those, but I'm getting around 10-20 different IP addresses every couple of minutes.

    As mail clients shouldn't be sending out e-mails via SMTP through the server (only the server itself should be able to e-mail out), is there a way to block access to any remote connections trying to send e-mail out using the server this way ?

    Thanks again,

    Daniel
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    There are no native features in WHM that will reject SMTP authentication attempts from all external IP addresses. You would have to configure a custom Exim ACL to implement this type of rule. Or, you could block an entire country (If all IPs originate from it) using CSF as this might be easier than attempting to block the individual IP addresses.

    Thank you.
     
  9. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for your reply - It is appreciated.

    Can SMTP just be disabled (or disabled on port 25) ? - Or would that cause complications ?

    Unfortunately the IP addresses are rarely from the same country - I've had them from almost every country I can think of.

    Thanks
    Daniel
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page