dovecot_plain authenticator failed for and executable attachment "ForwardedMessage.eml

3awh

• July 08, 2022 14:02

I just move my clients to a new server. I have dovecot and Exim CSF and imunify360 I get a lot of emails about lfd on jds1.3aliXXXXXXXX.com: blocked XX.68.245.XX (US/United States/c-XX-68-245-xx.hsd1.xx.xxxxxxx.net) Time: Fri Jul 8 11:59:08 2022 -0400 IP: XX.68.245.XX (US/United States/c-XX-68-245-xx.hsd1.xx.xxxxxxx.net) Failures: 5 (smtpauth) Interval: 3600 seconds Blocked: Permanent Block [LF_SMTPAUTH] (IP match in csf.allow, block may not work) Log entries: 2022-07-08 11:31:03 dovecot_plain authenticator failed for c-xx.68-245-xx.hsd1.xx.xxx.net ([IPv6:::ffff:192.168.1.2]) [XX.68.245.XX]:62954: 535 Incorrect authentication data (set_id=rick@XXXXXXX.com) 2022-07-08 11:31:09 dovecot_login authenticator failed for c-xx.68-245-xx.hsd1.xx.xxx.net ([IPv6:::ffff:192.168.1.2]) [XX.68.245.XX]:62954: 535 Incorrect authentication data (set_id=rick@XXXXXXX.com) 2022-07-08 11:31:15 dovecot_plain authenticator failed for c-xx.68-245-xx.hsd1.xx.xxx.net ([IPv6:::ffff:192.168.1.2]) [XX.68.245.XX]:62956: 535 Incorrect authentication data (set_id=rick@XXXXXXX.com) 2022-07-08 11:31:21 dovecot_login authenticator failed for c-xx.68-245-xx.hsd1.xx.xxx.net ([IPv6:::ffff:192.168.1.2]) [XX.68.245.XX]:62956: 535 Incorrect authentication data (set_id=rick@XXXXXXX.com) 2022-07-08 11:59:03 dovecot_plain authenticator failed for c-xx.68-245-xx.hsd1.xx.xxx.net ([IPv6:::ffff:192.168.1.2]) [XX.68.245.XX]:63107: 535 Incorrect authentication data (set_id=rick@XXXXXXX.com) My client said when he forwards messages he get a return failure. This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: robertXXXXX@gmail.com This message has been rejected because it has a potentially executable attachment "ForwardedMessage.eml" This form of attachment has been used by recent viruses or other malware. If you meant to send this file then please package it up as a zip file and resend it. XXXXXX@3aliXXXXXXXX.com This message has been rejected because it has a potentially executable attachment "ForwardedMessage.eml" This form of attachment has been used by recent viruses or other malware. If you meant to send this file then please package it up as a zip file and resend it. Reporting-MTA: dns; XXXX.3alienswebXXXXXX.com Action: failed Final-Recipient: rfc822;XXXX.3alienswebXXXXXX.com Status: 5.0.0 Action: failed Final-Recipient: rfc822;robertclements345@gmail.com Status: 5.0.0 ForwardedMessage.eml Subject: Fwd: Mail delivery failed: returning message to sender From: rick XXXXXX Date: 7/8/2022, 1:56 PM To: 3 Aliens Web Hosting CC: Rob XXXXXXXX when he sends it from his personal ISP email it goes through fine. His IP is also listed on: SORBS DUHL and Spamhaus ZEN Mitch

• 

  cPRex Jurassic Moderator

  • July 08, 2022 19:52

  Hey there! In general, many applications now just block .eml attachments because they get used for viruses frequently. If a new machine already has the IPs on a blacklist, you'll want to contact your hosting provider or datacenter and let them know about it. They will likely be able to help get them removed, or provider you with alternative IP address for sending mail that doesn't have that issue.

  0
• 

  3awh

  • July 08, 2022 20:27

  Thank you for your fast reply The IPs on the black list are my clients. and was wondering if there was something I did to cause it? The machine IPs are clean. Is there something I did as far as a config to get these messages? I had to white-list him so he could get his email. would him be Listed cause the block on my server?

  0
• 

  cPRex Jurassic Moderator

  • July 08, 2022 20:30

  It's normal for individual user IPs from your ISP to be on blacklists, as those addresses shouldn't be sending mail. As far as the LFD notifications, the CSF/LFD service is a third-party firewall tool that isn't controlled by cPanel, so you'd need to adjust that software to change the notifications or settings.

  0
• 

  3awh

  • July 12, 2022 02:33

  If there was no problem I would not get a message no? It's blocking his IP because he's checking mail and there is something wrong with the login system for email just in his account. I even logged into his home computer with Teamviewer and checked all his settings for that one email and everything is good. I even Terminated his online account and recreated it and reuploaded his website still getting that message. The only thing stopping him from being blocked in the firewall is I have him whitelisted and that's why I get that message above. I'm at a loss Mitch

  0
• 

  cPRex Jurassic Moderator

  • July 12, 2022 12:52

  So when that user checks his email, just that action alone is causing CSF to attempt to block the IP address? If you temporarily disable CSF, does anything in cPanel happen related to that connection?

  0

Please sign in to leave a comment.