Fix Excessive SMTP Failures – dovecot_plain authenticator failed

Issue: Excessive failed authentication attempts to abuse mail, resulting in excessive notifications, such as below:

Time: Wed Dec 6 09:25:20 2017 -0500
IP: 80.110.117.158 (AT/Austria/80-110-117-158.cgn.dynamic.surfer.at)
Failures: 5 (smtpauth)
Interval: 3600 seconds
Blocked: Permanent Block

Log entries:

2017-12-06 09:10:09 dovecot_plain authenticator failed for 80-110-117-158.cgn.dynamic.surfer.at (10.0.0.3) [80.110.117.158]:28811: 535 Incorrect authentication data (set_id=product.order@xxxxxx.com)
2017-12-06 09:23:01 dovecot_plain authenticator failed for 80-110-117-158.cgn.dynamic.surfer.at (10.0.0.8) [80.110.117.158]:28825: 535 Incorrect authentication data (set_id=lucy@xxxxxx.com)
2017-12-06 09:24:28 dovecot_plain authenticator failed for 80-110-117-158.cgn.dynamic.surfer.at (10.0.0.54) [80.110.117.158]:28832: 535 Incorrect authentication data (set_id=info@xxxxxx.com)
2017-12-06 09:24:29 dovecot_plain authenticator failed for 80-110-117-158.cgn.dynamic.surfer.at (10.0.0.61) [80.110.117.158]:28892: 535 Incorrect authentication data (set_id=product.order@xxxxxx.com)
2017-12-06 09:25:16 dovecot_plain authenticator failed for 80-110-117-158.cgn.dynamic.surfer.at (10.0.0.38) [80.110.117.158]:28848: 535 Incorrect authentication data (set_id=lucy@xxxxxx.com)

Abuse is worldwide distributed.

Solution: Configure CSF (“ConfigServer Security & Firewall”) to only allow inbound (mail related) connections from authorized countries. Allowing access only to specific countries is less resource intensive than blocking (even larger ranges) of IP addresses.

In CSF, configure the following:

Under: IPv4 Port Settings >> TCP_IN

Remove:
110,143,993,995,587,465,25,587,465

Under: Country Code Lists and Settings >> CC_ALLOW_PORTS

Add (this is an example, change to the actual required country codes only):

AU,CA,US

Under: Country Code Lists and Settings >> CC_ALLOW_PORTS_TCP

Add:

110,143,993,995,25,587,465

Restart CSF/LFD an observe that distributed attempts have decreased substantially.

Caveat! – Countries that are NOT allowed in the CC_ALLOW_PORTS will be unable to make a connection with the mail server. This means people sending email from those countries will result in non-delivery. The above is known to block email from services such as Gmail, etc.

1 thought on “Fix Excessive SMTP Failures – dovecot_plain authenticator failed”

Leave a comment

BlogLogistics