1 Topic by echo5

  • echo5
  • Member
  • Offline
  • Registered: 2016-05-17
  • Posts: 23

Topic: Why does iRedmail fail2ban block so many ports?

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5
- Linux/BSD distribution name and version: CentOS7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====

I've been running into an issue where some fail2ban BAN activity kills all access to my server. This is mostly resulting from inbound bad behavior on my smtp port.

I looked at /etc/fail2ban/jail.conf and noticed that all of the iRedMail provided configs add lots of ports, even inappropriate ones. Here is iredmail-postfix:

[postfix-iredmail]
enabled     = true
filter      = postfix.iredmail
action      = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=t
cp]
#              sendmail[name=Postfix, dest=root, sender=fail2ban@localhost]
logpath     = /var/log/maillog

Why would a POSTFIX ban need to include http, https, pop3, imap, imaps, sieve, etc?

If it's bad smtp traffic then it should ban 25, 465 and 587. It shouldn't kill everything.

The only logged f2b bans are on postfix-iredmail but they manage to block web access, admin interfaces (www), non-iRedMail services running via https, etc.

Chain f2b-postfix (1 references)
target     prot opt source               destination
REJECT     all  --  92.42.8.1            0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  125.31.39.66         0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  60.173.105.110       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  218.22.100.42        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  115.84.105.146       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  223.93.150.160       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  220.178.107.242      0.0.0.0/0            reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

f2b-SOGo   tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,25,587,110,995,143,993,4190
f2b-postfix  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,25,587,110,995,143,993,4190  <----so many
f2b-dovecot  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,25,587,110,995,143,993,4190
f2b-roundcube  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,25,587,110,995,143,993,4190


It seems like a shotgun approach where an errant mail program locks up everything. postfix should block smtp related ports, dovecot imap ports, roundcube web ports, etc.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,163

Re: Why does iRedmail fail2ban block so many ports?

You're free to change the ports.

If user failed many times, it's likely it's a spammer. So we'd block all mail services, but ssh is not blocked if it's triggered by postfix/dovecot/roundcube/sogo.