SMTP Failures (smtpauth) -dovecot_plain authenticator failed

djblamire

Well-Known Member
May 3, 2003
255
1
168
Recently I have been receiving hundreds of e-mails per day for failed SMTP authentications.

These are from many countries including Serbia, Russia, Taiwan, Vietnam, Libya and many more.

The site is running cPanel and the sites on the server send out e-mail, but any mail clients are set to send out e-mails via our own ISP (rather than via the server).

Is there a way to block access to any remote connections trying to send e-mail out using the server this way ?

I'm concerned about the number of attempts being received.

Any comments/advise appreciated.

Thanks
Daniel
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Recently I have been receiving hundreds of e-mails per day for failed SMTP authentications.
Could you clarify what specific emails you are receiving? For instance, are they notifications from a third-party application, or are these failed delivery bounces?

Thank you.
 

djblamire

Well-Known Member
May 3, 2003
255
1
168
Sorry,

I have re-read my posted message and agree it doesn't make sense.

These are the e-mails from my firewall (Configserver Firewall) to confirm that an attempt to login via smtpauth has failed - brute force attacks.

It isn't the e-mails themselves to me I want to block, but hoping there is a way to stop SMTP going through the server unless it is from within the server itself (if that makes sense).

For info - Here is an example of the firewall blocked e-mails (All from different countries and IP addresses):

Time: Wed May 21 13:34:40 2014 +0100
IP: 116.73.48.72 (IN/India/-)
Failures: 5 (smtpauth)
Interval: 3600 seconds
Blocked: Permanent Block

Log entries:

2014-05-21 12:50:28 dovecot_plain authenticator failed for (DELL-PC) [116.73.48.72]:57941: 535 Incorrect authentication data (set_id=support)
2014-05-21 12:50:34 dovecot_login authenticator failed for (DELL-PC) [116.73.48.72]:57941: 535 Incorrect authentication data (set_id=support)
2014-05-21 12:50:41 dovecot_plain authenticator failed for (DELL-PC) [116.73.48.72]:57976: 535 Incorrect authentication data ([email protected])
2014-05-21 12:50:52 dovecot_login authenticator failed for (DELL-PC) [116.73.48.72]:57976: 535 Incorrect authentication data ([email protected])
2014-05-21 13:34:38 dovecot_plain authenticator failed for (DELL-PC) [116.73.48.72]:51028: 535 Incorrect authentication data (set_id=support)

Thanks
Daniel
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
I suggest blocking the IP addresses in your firewall, and using a brute force detection application such as cPHulk:

"WHM Home » Security Center » cPHulk Brute Force Protection"

Thank you.
 

djblamire

Well-Known Member
May 3, 2003
255
1
168
Thanks for your fast reply.

I'm already doing both of those, but I'm getting around 10-20 different IP addresses every couple of minutes.

As mail clients shouldn't be sending out e-mails via SMTP through the server (only the server itself should be able to e-mail out), is there a way to block access to any remote connections trying to send e-mail out using the server this way ?

Thanks again,

Daniel
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
There are no native features in WHM that will reject SMTP authentication attempts from all external IP addresses. You would have to configure a custom Exim ACL to implement this type of rule. Or, you could block an entire country (If all IPs originate from it) using CSF as this might be easier than attempting to block the individual IP addresses.

Thank you.
 

djblamire

Well-Known Member
May 3, 2003
255
1
168
Thanks for your reply - It is appreciated.

Can SMTP just be disabled (or disabled on port 25) ? - Or would that cause complications ?

Unfortunately the IP addresses are rarely from the same country - I've had them from almost every country I can think of.

Thanks
Daniel