1

Topic: f2b Postfix Whitelist

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9
- Deployed with iRedMail Easy or the downloadable installer? download
- Linux/BSD distribution name and version: Debian 9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I run GNOME on my desktop, and Geary as my email application of choice. Because of this, I run 3 email inboxes on it and one on my phone, when it authorizes at home it is banning my IP address because I have F2B set to ban after 3 attempts. I want to whitelist my IP/Hostname at home so this does not happen.

In the config file, I put my hostname in the ignoreip= field and restarted fail2ban, this did not resolve the issue. Where do I need to put this so I can whitelist my IP from getting banned by fail2ban.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: f2b Postfix Whitelist

If your client IP address is dynamic, you have to update fail2ban config file or whitelist/unban ip with "fail2ban-client" command.

3

Re: f2b Postfix Whitelist

The IP address has been added to the postfix-iredmail jail through fail2ban-client using the below script. If I reload (or restart, or whatever) it bans the IP again even if I unbanip using the same command. It shows in the config file for postfix-iredmail as an ignored IP, and is still banning it.

sudo fail2ban-client set postfix-iredmail addignoreip my.full.ip.address

My IP at home is static.

4 (edited by wylel 2019-09-24 11:32:05)

Re: f2b Postfix Whitelist

I am getting the following error as well:

Sep 23 22:22:39 mail fail2ban.action[16642]: ERROR iptables -w -D f2b-postfix -s MYIP -j REJECT --reject-with icmp-port-unreachable -- stdout: b''
Sep 23 22:22:39 mail fail2ban.action[16642]: ERROR iptables -w -D f2b-postfix -s MYIP -j REJECT --reject-with icmp-port-unreachable -- stderr: b'iptables: No chain/target/match by that name.\n'
Sep 23 22:22:39 mail fail2ban.action[16642]: ERROR iptables -w -D f2b-postfix -s MYIP -j REJECT --reject-with icmp-port-unreachable -- returned 1

Sep 23 22:22:39 mail fail2ban.actions[16642]: ERROR Failed to execute unban jail 'postfix-iredmail' action 'iptables-multiport' info '{'ip': 'MYIP', 'failures': 3, 'matches': 'Sep 23 22:22:36 mail postfix/submission/smtpd[18741]: lost connection after AUTH from MYHOSTNAME[MYIP]Sep 23 22:22:37 mail postfix/submission/smtpd[18741]: lost connection after AUTH from MYHOSTNAME[MYIP]Sep 23 22:22:38 mail postfix/submission/smtpd[18741]: lost connection after AUTH from MYHOSTNAME[MYIP]', 'time': 1569295359.486758}': Error unbanning MYIP

I had already set f2b to ban after 3 attempts, mainly for sshd as I noticed brute force would stop at 3 (instead of the default 5). Either way, why is this banning this, or failing to unban as it states?

5

Re: f2b Postfix Whitelist

Seems a temporary Fail2ban issue, restarting iptables and fail2ban services should fix this issue.

6

Re: f2b Postfix Whitelist

This is just not working. I have the ip whitelisted under ignoreip, but just checking email on 3 inboxes at once. I have confirmed the IP is correct and is there, I have restarted the services and have rebooted the machine, still the same exact issue. I must be doing this wrong.

I looked through docs, and maybe there needs to be one for this if its something in iRedMail doing it. I dont see how it could be, as both the default f2b and the postfix-iredmail config for f2b both have the ignoreip in it.

I am happy to work on this with you and even write up a documentation on it, its just extremely frustrating to have to find what line the REJECT is and then delete it from iptables every single time it happens.

On a side note, where are the iptable rules pulled from when iptables is restored (as iptables-restore would do). I ask because I changed my SSH port and need it to accept connections even after I reboot the server.

7

Re: f2b Postfix Whitelist

- Which fail2ban config file did you modify to add the whitelist?
- Usually the error in #4 of this thread can be fixed by restarting both iptables and fail2ban services, not sure why it doesn't work for you. sad

wylel wrote:

I am happy to work on this with you and even write up a documentation on it, its just extremely frustrating to have to find what line the REJECT is and then delete it from iptables every single time it happens.

You can use the script shipped in iRedMail: iRedMail-0.9.9/tools/fail2ban_unban_ip.sh. Just run:

bash fail2ban_unban_ip.sh <ip> <ip> <ip>

8 (edited by wylel 2019-11-16 09:17:18)

Re: f2b Postfix Whitelist

ZhangHuangbin wrote:

- Which fail2ban config file did you modify to add the whitelist?
- Usually the error in #4 of this thread can be fixed by restarting both iptables and fail2ban services, not sure why it doesn't work for you. sad

wylel wrote:

I am happy to work on this with you and even write up a documentation on it, its just extremely frustrating to have to find what line the REJECT is and then delete it from iptables every single time it happens.

You can use the script shipped in iRedMail: iRedMail-0.9.9/tools/fail2ban_unban_ip.sh. Just run:

bash fail2ban_unban_ip.sh <ip> <ip> <ip>

That worked, I found the iptables file that loads as well for ssh port.

I edited /etc/fail2ban/jail.conf and /etc/fail2ban/filter.d/postfix.iredmail.conf with the ignoreip = my.ip.address

However, those do not seem to actually ignore the IP.

9

Re: f2b Postfix Whitelist

Please modify /etc/fail2ban/jail.local instead.

10

Re: f2b Postfix Whitelist

ZhangHuangbin wrote:

Please modify /etc/fail2ban/jail.local instead.

It was already in there, presumably because of the command ran earlier in this thread.