Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 7680 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[9.107-33] SMTP -failed logins

wingman
Hi All

Lately I am getting a lot of "too many login failed" messages such the one attached. I am trying to find why this is happening. I have enabled the blocking mechanism as per Definitions & Users>Authentication Servers>Advanced so when there is a failed login message I will get notified. However relaying is only allowed  for specific users (email protection>smtp>relaying) and I am allowing only internal network 

The ip as per attached notification are random(to name a few):
174.79.39.4
85.52.224.140
78.98.72.175 

As I don't have an open relay I am not sure why this is happening

Thanks


This thread was automatically locked due to age.
Parents
  • 0
    Hey Wingman - Wow!  

    Can you still authenticate if you remove everything from 'Allowed hosts/networks'?

    If you can, then we all just learned something.  I don't think it should work like that.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    Hey Wingman - Wow!  

    Can you still authenticate if you remove everything from 'Allowed hosts/networks'?

    If you can, then we all just learned something.  I don't think it should work like that.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson
    Hey Wingman - Wow!  

    Can you still authenticate if you remove everything from 'Allowed hosts/networks'?

    If you can, then we all just learned something.  I don't think it should work like that.

    Cheers - Bob


    Hi Bob

    I am not able to login but I just have updated to the latest soft release (not sure if that's something that was fixed on the newest release).
    However, I am able to see the attemp via the logs 


    2014:01:28-14:41:33 ****** exim-in[4763]: 2014-01-28 14:41:33 SMTP connection from [174.79.39.4]:2063 (TCP/IP connection count = 1)

    2014:01:28-14:41:33 ****** exim-in[12190]: 2014-01-28 14:41:33 server_login authenticator failed for wsip-174-79-39-4.ph.ph.cox.net ([192.168.2.33]) [174.79.39.4]:2063: 535 Incorrect authentication data (set_id=acer)

    2014:01:28-14:41:34 ****** exim-in[12190]: 2014-01-28 14:41:34 server_login authenticator failed for wsip-174-79-39-4.ph.ph.cox.net ([192.168.2.33]) [174.79.39.4]:2063: 535 Incorrect authentication data (set_id=acer)

    2014:01:28-14:41:34 ****** exim-in[12190]: 2014-01-28 14:41:34 server_login authenticator failed for wsip-174-79-39-4.ph.ph.cox.net ([192.168.2.33]) [174.79.39.4]:2063: 535 Incorrect authentication data (set_id=acer)
Unfiltered HTML