You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I just received an odd e-mail from my server claiming that "We noticed a login to your Acme account from a new location."
I've never received such a notification before and I'm not quite sure what this could mean.
My best guess is that this was caused by NGINX Proxy Manager.
Despite it being in a docker container, the support at OMV claimed it's possible NPM used postfix to notify me throu an e-mail.
Here's the header of the e-mail
Delivered-To: [email protected]
Received: by KEY with SMTP id kw18csp2411343vqb;
Mon, 24 Mar 2025 17:33:06 -0700 (PDT)
X-Received: by KEY with SMTP id 98e67ed59e1d1-3030fe75769mr21629505a91.5.1742862785744;
Mon, 24 Mar 2025 17:33:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1742862785; cv=none;
d=google.com; s=arc-20240605;
b=KEY==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=date:message-id:to:subject:from:dkim-signature;
bh=khmMn2VywgJ40IFc0laN4+SwCQ/YJocqU1/mTP7Nl6Y=;
fh=9exAewvQdmN5hO8CqytTlm7+oLE1B0s4+x95LsE4jbc=;
b=KEY==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass [email protected] header.s=20230601 header.b=T6nmPQ7r;
spf=pass (google.com: domain of [email protected] designates 209.85.220.41 as permitted sender) [email protected];
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
dara=pass [email protected]
Return-Path: <[email protected]>
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
by mx.google.com with SMTPS id ID
for <[email protected]>
(Google Transport Security);
Mon, 24 Mar 2025 17:33:05 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41;
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=20230601 header.b=T6nmPQ7r;
spf=pass (google.com: domain of [email protected] designates 209.85.220.41 as permitted sender) [email protected];
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
dara=pass [email protected]
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1742862785; x=1743467585; dara=google.com;
h=date:message-id:to:subject:from:from:to:cc:subject:date:message-id
:reply-to;
bh=khmMn2VywgJ40IFc0laN4+SwCQ/YJocqU1/mTP7Nl6Y=;
b=KEY==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1742862785; x=1743467585;
h=date:message-id:to:subject:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=khmMn2VywgJ40IFc0laN4+SwCQ/YJocqU1/mTP7Nl6Y=;
b=KEY==
X-Gm-Message-State: KEY==
X-Gm-Gg: KEY==
X-Google-Smtp-Source: KEY;
Mon, 24 Mar 2025 17:33:04 -0700 (PDT)
Return-Path: <[email protected]>
Received: from brie.localdomain ([MY IP])
by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-3030f60b919sm8849225a91.27.2025.03.24.17.33.04
for <[email protected]>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 24 Mar 2025 17:33:04 -0700 (PDT)
Received: from brie (localhost.localdomain [127.0.0.1])
by brie.localdomain (Postfix) with ESMTP id AC74960EEA
for <[email protected]>; Mon, 24 Mar 2025 21:33:02 -0300 (-03)
Content-Type: text/html; charset=UTF-8
From: "Support" <[email protected]>
Subject: [brie] Login from a new location
To: [email protected]
Message-Id: <[email protected]>
Date: Mon, 24 Mar 2025 21:33:02 -0300 (-03)
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="viewport" content="width=device-width,initial-scale=1" />
<style>
body, html {
padding: 0;
margin: 0;
border: 0;
color: #16161a;
background: #fff;
font-size: 14px;
line-height: 20px;
font-weight: normal;
font-family: Source Sans Pro, sans-serif, emoji;
}
body {
padding: 20px 30px;
}
strong {
font-weight: bold;
}
em, i {
font-style: italic;
}
p {
display: block;
margin: 10px 0;
font-family: inherit;
}
small {
font-size: 12px;
line-height: 16px;
}
hr {
display: block;
height: 1px;
border: 0;
width: 100%;
background: #e1e6ea;
margin: 10px 0;
}
a {
color: inherit;
}
.hidden {
display: none !important;
}
.btn {
display: inline-block;
vertical-align: top;
border: 0;
cursor: pointer;
color: #fff !important;
background: #16161a !important;
text-decoration: none !important;
line-height: 40px;
width: auto;
min-width: 150px;
text-align: center;
padding: 0 20px;
margin: 5px 0;
font-family: Source Sans Pro, sans-serif, emoji;;
font-size: 14px;
font-weight: bold;
border-radius: 6px;
box-sizing: border-box;
}
</style>
</head>
<body>
<p>Hello,</p>
<p>We noticed a login to your Acme account from a new location.</p>
<p>If this was you, you may disregard this email.</p>
<p><strong>If this wasn't you, you should immediately change your Acme account password to revoke access from all other locations.</strong></p>
<p>
Thanks,<br/>
Acme team
</p>
</body>
</html>
And the e-mail itself:
Here's what I assume happened:
NPM generates a certificate through my domain provider's API (porkbun in this case) and on porkbun's UI there's another place where you can generate certificates;
My NPM uses one of them and the other was created automatically when I registered a redirect record (URL forwarding) in the afternoon;
Seeing that both the API and the manual way are generating certificates on my porkbun account, it's using the same email and NGINX consideres that "logins from different locations"
The second one seems to have taken quite a while to propagate so that's why me getting this message in the middle of the night worried me;
Anyways, if that's really what it is, I still find it surprising that searching for the exact string "We noticed a login to your Acme account from a new location." gives me nothing. Feels like I'm the only person that's ever gotten this e-mail.
If possible, I want to know if it this is part of NPM's behaviour and if my assumptions are correct, and, if not, what should I be doing to remedy it.
Thanks
The text was updated successfully, but these errors were encountered:
I just received an odd e-mail from my server claiming that "We noticed a login to your Acme account from a new location."
I've never received such a notification before and I'm not quite sure what this could mean.
My best guess is that this was caused by NGINX Proxy Manager.
Despite it being in a docker container, the support at OMV claimed it's possible NPM used postfix to notify me throu an e-mail.
Here's the header of the e-mail
And the e-mail itself:
Here's what I assume happened:
Anyways, if that's really what it is, I still find it surprising that searching for the exact string "We noticed a login to your Acme account from a new location." gives me nothing. Feels like I'm the only person that's ever gotten this e-mail.
If possible, I want to know if it this is part of NPM's behaviour and if my assumptions are correct, and, if not, what should I be doing to remedy it.
Thanks
The text was updated successfully, but these errors were encountered: