I have dovecot and Exim
CSF and imunify360
I get a lot of emails about lfd on jds1.3aliXXXXXXXX.com: blocked XX.68.245.XX (US/United States/c-XX-68-245-xx.hsd1.xx.xxxxxxx.net)
T
My client said when he forwards messages he gets a return failure.ime: Fri Jul 8 11:59:08 2022 -0400
IP: XX.68.245.XX (US/United States/c-XX-68-245-xx.hsd1.xx.xxxxxxx.net)
Failures: 5 (smtpauth)
Interval: 3600 seconds
Blocked: Permanent Block [LF_SMTPAUTH] (IP match in csf.allow, block may not work)
Log entries:
2022-07-08 11:31:03 dovecot_plain authenticator failed for c-xx.68-245-xx.hsd1.xx.xxx.net ([IPv6:::ffff:192.168.1.2]) [XX.68.245.XX]:62954: 535 Incorrect authentication data (set_id=rick@XXXXXXX.com)
2022-07-08 11:31:09 dovecot_login authenticator failed for c-xx.68-245-xx.hsd1.xx.xxx.net ([IPv6:::ffff:192.168.1.2]) [XX.68.245.XX]:62954: 535 Incorrect authentication data (set_id=rick@XXXXXXX.com)
2022-07-08 11:31:15 dovecot_plain authenticator failed for c-xx.68-245-xx.hsd1.xx.xxx.net ([IPv6:::ffff:192.168.1.2]) [XX.68.245.XX]:62956: 535 Incorrect authentication data (set_id=rick@XXXXXXX.com)
2022-07-08 11:31:21 dovecot_login authenticator failed for c-xx.68-245-xx.hsd1.xx.xxx.net ([IPv6:::ffff:192.168.1.2]) [XX.68.245.XX]:62956: 535 Incorrect authentication data (set_id=rick@XXXXXXX.com)
2022-07-08 11:59:03 dovecot_plain authenticator failed for c-xx.68-245-xx.hsd1.xx.xxx.net ([IPv6:::ffff:192.168.1.2]) [XX.68.245.XX]:63107: 535 Incorrect authentication data (set_id=rick@XXXXXXX.com)
when he sends it from his personal ISP email it goes through fine.This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
robertXXXXX@gmail.com
This message has been rejected because it has
a potentially executable attachment "ForwardedMessage.eml"
This form of attachment has been used by
recent viruses or other malware.
If you meant to send this file then please
package it up as a zip file and resend it.
XXXXXX@3aliXXXXXXXX.com
This message has been rejected because it has
a potentially executable attachment "ForwardedMessage.eml"
This form of attachment has been used by
recent viruses or other malware.
If you meant to send this file then please
package it up as a zip file and resend it.
Reporting-MTA: dns; XXXX.3alienswebXXXXXX.com
Action: failed
Final-Recipient: rfc822;XXXX.3alienswebXXXXXX.com
Status: 5.0.0
Action: failed
Final-Recipient: rfc822;robertclements345@gmail.com
Status: 5.0.0
ForwardedMessage.eml
Subject:
Fwd: Mail delivery failed: returning message to sender
From:
rick XXXXXX <rick@XXXXXXX.com>
Date:
7/8/2022, 1:56 PM
To:
3 Aliens Web Hosting <XXXX.3alienswebXXXXXX.com>
CC:
Rob XXXXXXXX <robertXXXXX@gmail.com>
His IP is also listed on: SORBS DUHL and Spamhaus ZEN
The IPs on the black list are my clients. and was wondering if there was something I did to cause it?
The machine IPs are clean.
Is there something I did as far as a config to get these messages?
I had to white-list him so he could get his email.
Mitch