How to deal with and email account that was deleted on server but the fired user still tries to access it?
Hi, all!
I have this issue, a guy was fired and the owner of the cPanel account deleted the email in cPanel but never thought of asking the employee to delete the email account from all his dispositives before he leaves or to ask him for the password.
Now the customer's dispositive is trying to access the email but as the email doesn't exist anymore CSF blocks the IP because a lot of bad connections and I started to receive a lot of emails telling me about the IPs blocked because of this account.
I know I can create a filter and delete the emails before I receive them, but the issue is about the IP blocked because so many attempts to access the account CSF is blocking the IPs.
As I am in a country that the ISPs doesn't has so many IPs, chances are that the blocked IP will be in use by another of our customers.
So, How may I can do for kind of white list the email address so the IP is not blocked?
Or, if you have any other suggestion, it is welcomed.
Sergio
-
I could only think of a custom regex for CSF, but it's beyond my skills to write one. 0 -
Hello @Secmas I'm not familiar with the word "dispositive" in English. My guess is that you're referring to email client software or devices that are periodically attempting to connect to the old, deleted email account. One solution I can think of is to obtain a list of the IP addresses or IP address ranges that have been used to attempt to connect to this account: grep "account@domain.tld" /var/log/maillog |grep -Po "(?<=rip=)[^,]+" |sort |uniq
If the list you obtain is small enough to be easily manageable, you can add the IP addresses (or ranges) to /etc/csf/csf.ignore. The result would be that failed login attempts from the IPs you add to csf.ignore will be ignored and the IP addresses will not be blocked. Note, cPanel does not develop or support CSF/LFD and it's possible there are other features of the software that I am not aware of, which could better address your concern. I did find a forum thread in the ConfigServer community forums which discusses a similar topic:0 -
Thanks @cPSamuel, sorry, yes "device" is the right word. I created an script that releases all the IPs of my country every 15 minutes depending of how the IP was blocked and it kind of helps me to deal with this. But thought that may be there could be a way in cPanel to left an email account to connect without checking the password but that couldn't send nor receive emails. That will be great on this type of issues. Sergio 0 -
Hello again Sergio, no problem at all. Now I've learned a new word in Spanish! Unfortunately Dovecot will not allow a user to login with an invalid password. However, you may be able to update the Dovecot configuration to log the password that is supplied by the device: You could then possibly recreate the email account with the same password that the remote client/device is using, in order to prevent the login attempts from "failing." Note, I would not recommend this solution, however it seems as though this is what you are trying to accomplish. Best regards 0 -
Hello again Sergio, no problem at all. Now I've learned a new word in Spanish! Unfortunately Dovecot will not allow a user to login with an invalid password. However, you may be able to update the Dovecot configuration to log the password that is supplied by the device: You could then possibly recreate the email account with the same password that the remote client/device is using, in order to prevent the login attempts from "failing." Note, I would not recommend this solution, however it seems as though this is what you are trying to accomplish. Best regards
This looks like worth a try. I mean, make the passwords visible for a few hours while the email account tries to connect to the server and after that set it again as it was before the change. Doing that I could get the failed password for that account and I could recreate the account with the "right" password and proceed to block the send and receive emails on the account. Will try this tomorrow morning when I will be fresh, lol Thank you for your help. Sergio0
Please sign in to leave a comment.
Comments
5 comments