Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SMTP Failures (smtpauth) -dovecot_plain authenticator failed

Discussion in 'E-mail Discussion' started by djblamire, May 21, 2014.

  1. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    253
    Likes Received:
    1
    Trophy Points:
    168
    Recently I have been receiving hundreds of e-mails per day for failed SMTP authentications.

    These are from many countries including Serbia, Russia, Taiwan, Vietnam, Libya and many more.

    The site is running cPanel and the sites on the server send out e-mail, but any mail clients are set to send out e-mails via our own ISP (rather than via the server).

    Is there a way to block access to any remote connections trying to send e-mail out using the server this way ?

    I'm concerned about the number of attempts being received.

    Any comments/advise appreciated.

    Thanks
    Daniel
     
  2. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    575
    Likes Received:
    20
    Trophy Points:
    143
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    253
    Likes Received:
    1
    Trophy Points:
    168
    Thanks - I've had a look at the link but cannot see anything with regards to this (unless I've missed something).

    Thanks again,

    Daniel
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,214
    Likes Received:
    1,936
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Could you clarify what specific emails you are receiving? For instance, are they notifications from a third-party application, or are these failed delivery bounces?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    253
    Likes Received:
    1
    Trophy Points:
    168
    Sorry,

    I have re-read my posted message and agree it doesn't make sense.

    These are the e-mails from my firewall (Configserver Firewall) to confirm that an attempt to login via smtpauth has failed - brute force attacks.

    It isn't the e-mails themselves to me I want to block, but hoping there is a way to stop SMTP going through the server unless it is from within the server itself (if that makes sense).

    For info - Here is an example of the firewall blocked e-mails (All from different countries and IP addresses):

    Time: Wed May 21 13:34:40 2014 +0100
    IP: 116.73.48.72 (IN/India/-)
    Failures: 5 (smtpauth)
    Interval: 3600 seconds
    Blocked: Permanent Block

    Log entries:

    2014-05-21 12:50:28 dovecot_plain authenticator failed for (DELL-PC) [116.73.48.72]:57941: 535 Incorrect authentication data (set_id=support)
    2014-05-21 12:50:34 dovecot_login authenticator failed for (DELL-PC) [116.73.48.72]:57941: 535 Incorrect authentication data (set_id=support)
    2014-05-21 12:50:41 dovecot_plain authenticator failed for (DELL-PC) [116.73.48.72]:57976: 535 Incorrect authentication data (set_id=support@mydomain.com)
    2014-05-21 12:50:52 dovecot_login authenticator failed for (DELL-PC) [116.73.48.72]:57976: 535 Incorrect authentication data (set_id=support@mydomain.com)
    2014-05-21 13:34:38 dovecot_plain authenticator failed for (DELL-PC) [116.73.48.72]:51028: 535 Incorrect authentication data (set_id=support)

    Thanks
    Daniel
     
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,214
    Likes Received:
    1,936
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    I suggest blocking the IP addresses in your firewall, and using a brute force detection application such as cPHulk:

    "WHM Home » Security Center » cPHulk Brute Force Protection"

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    253
    Likes Received:
    1
    Trophy Points:
    168
    Thanks for your fast reply.

    I'm already doing both of those, but I'm getting around 10-20 different IP addresses every couple of minutes.

    As mail clients shouldn't be sending out e-mails via SMTP through the server (only the server itself should be able to e-mail out), is there a way to block access to any remote connections trying to send e-mail out using the server this way ?

    Thanks again,

    Daniel
     
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,214
    Likes Received:
    1,936
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    There are no native features in WHM that will reject SMTP authentication attempts from all external IP addresses. You would have to configure a custom Exim ACL to implement this type of rule. Or, you could block an entire country (If all IPs originate from it) using CSF as this might be easier than attempting to block the individual IP addresses.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    253
    Likes Received:
    1
    Trophy Points:
    168
    Thanks for your reply - It is appreciated.

    Can SMTP just be disabled (or disabled on port 25) ? - Or would that cause complications ?

    Unfortunately the IP addresses are rarely from the same country - I've had them from almost every country I can think of.

    Thanks
    Daniel
     
  10. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,214
    Likes Received:
    1,936
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    You may find this thread helpful:

    Disable SMTP Authentication

    There is discussion of disabling SMTP, and links to another thread with manual workarounds suggested.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice