Exim logs filled with dovecot_login fails

NOC SZ

• April 18, 2019 06:09

I m getting the below in my exim_mainlog ================== 2019-04-14 03:37:18 dovecot_login authenticator failed for (server.com) [178.128.xx.xxx]:57038: 535 Incorrect authentication data (set_id=amilton@some.domain.ns.ca) 2019-04-14 03:37:18 SMTP connection from (server.com) [178.128.xx.xxx]:57038 lost (error: Connection reset by peer) D=1s 2019-04-14 03:37:45 SMTP connection from [142.93.xxx.xx]:41656 (TCP/IP connection count = 1) 2019-04-14 03:37:45 no host name found for IP address 142.93.xxx.xx ==================
and there are lot of these entries. The domain(or subdomain) some.domain.ns.ca is pointing to my ip which is not my domain. How can I get rid of this? Is it any kind of attack? Please help.

• 

  cPanelMichael

  • April 18, 2019 22:54

  Hello @NOC SZ, You can find discussion of this topic along with some suggestions on how to block the login attempts on the following thread: Thank you.

  0
• 

  NOC SZ

  • April 22, 2019 12:36

  Thank you @cPanelMichael Unfortunately the thread you have shared doesn't answer my question, in fact there is no perfect solution in that thread. Is it possible to block the domain town.example.com before they make an attempt for smtp login?

  0
• 

  cPanelMichael

  • April 23, 2019 17:40

  Hello @NOC SZ, You can't do this with any existing cPanel & WHM features, but you could setup a custom regular expression rule in CSF (a free firewall management plugin) to automatically block IP addresses that attempt to use "town.example.tld" as the email account username. Here's the link to the thread on the CSF forums that shows examples of how to do this: Custom REGEX rules for CSF. - ConfigServer Community Forum Thank you.

  0
• 

  NOC SZ

  • April 24, 2019 06:31

  Thanks again for your help @cPanelMichael I tried that already and blocking the IPs at the very first attempt. But each time they are coming with a new IP which makes this action less useful. Any other means like change exim configs or anything to get rid of this? I think there are more people out there having same issue?

  0
• 

  cPanelMichael

  • April 25, 2019 20:15

  Hello @NOC SZ, You'll need to block the IP addresses at the firewall level if you want to block the connection attempts before the request is sent. You can see a list of system administration service providers on the link below should you require a custom solution: Thank you.

  0

Please sign in to leave a comment.