1 Topic by tayzee

  • tayzee
  • Member
  • Offline
  • Registered: 2017-02-08
  • Posts: 17

Topic: postfix-fal2ban reject-with icmp-port-unreachable

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: ubuntu 16.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): mysql
- Web server (Apache or Nginx): nginx
- Manage mail accounts with iRedAdmin-Pro? no
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hi guys,

Im having an issue with one of my virtual domains. Theres about 15 - 20 users on the domain

For some reason fail2ban keeps on blocking the IP of where those users are emailing from. Im assuming its something to do with maybe a bad setup somewhere along the way, and too many connections coming in from somewhere, but I need help to fix the problem. The fail2ban-posix error is always: reject-with icmp-port-unreachable

Please can you help me with the steps to find the problem.

Thanks,
Tay

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: postfix-fal2ban reject-with icmp-port-unreachable

I don't understand what the issue we're talking about. sad
Could you please show us the original log related to this error?

3 Reply by tayzee (edited by tayzee 2018-05-31 01:06:36)

  • tayzee
  • Member
  • Offline
  • Registered: 2017-02-08
  • Posts: 17

Re: postfix-fal2ban reject-with icmp-port-unreachable

im not sure what to look for?

I keep on getting a call from my some of the users saying their email isnt working. I check iptables and I see that the fail2ban postfix rule keeps on blocking their ip address with this error next to is: reject-with icmp-port-unreachable

I then have to run the fail2ban unban command of that ip and then the mail starts working again for a while, but then again gets banned after a while.

Ive subsequently had to turn off the fail2ban postfix rule for now.

Im not sure what logs I need to check to ascertain what is happening?

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: postfix-fal2ban reject-with icmp-port-unreachable

- If your users connect from static IP, you can whitelist them in /etc/fail2ban/jail.local.
- if your users connect from dynamic IP, you have to figure out why it's banned in Fail2ban log file (/var/log/syslog or /var/log/messages), and maybe /var/log/maillog and /var/log/dovecot/*.log.

5 Reply by diogogbrandao

  • diogogbrandao
  • Member
  • Offline
  • Registered: 2020-04-16
  • Posts: 5

Re: postfix-fal2ban reject-with icmp-port-unreachable

Hello,

I have the same problem that tayzee have talked about.

I get the following from iptables command:

Chain f2b-postfix (2 references)
target     prot opt source               destination         
REJECT     all  --  201.68.188.229       0.0.0.0/0            reject-with icmp-port-unreachable

I want know why this problem is happening and what is causing it.

Do you have any idea? How can I track it to see what is causing it?

The blocked ip should not be blocked, since it is a known user from my email server.

I have whitelisted this IP, but it is dynamic IP and can't change at any moment.

Please help.

Thanks in advance!

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: postfix-fal2ban reject-with icmp-port-unreachable

diogogbrandao wrote:

Chain f2b-postfix (2 references)
target     prot opt source               destination         
REJECT     all  --  201.68.188.229       0.0.0.0/0            reject-with icmp-port-unreachable
I want know why this problem is happening and what is causing it.
Do you have any idea? How can I track it to see what is causing it?

- What: Fail2ban caused this.
- Why: Fail2ban scans log file to find bad clients and ban their IP addresses.

The iptables chain is "f2b-postfix", so it's caused by Postfix related errors. You need to check Postfix log file (/var/log/maillog) and figure out what error was triggered by your client "201.68.188.229", then make sure the error won't happen again. This way no whitelist is required.

7 Reply by diogogbrandao

  • diogogbrandao
  • Member
  • Offline
  • Registered: 2020-04-16
  • Posts: 5

Re: postfix-fal2ban reject-with icmp-port-unreachable

ZhangHuangbin,

I found the file, but it is very large.

Athough I know the moment in time when we got client complains, I could not find any suspect message there.

I searched for the client's IP and found normal e-mail procedures or they weren't and I wasn't able to indentify.

What kind of message shoud I look for to identify the error?

Thanks in advance!

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: postfix-fal2ban reject-with icmp-port-unreachable

Try this command:

fail2ban-regex --print-all-matched /var/log/maillog /etc/fail2ban/filter.d/postfix.iredmail.conf > /tmp/f2b.log

It will print all matched log lines to file /tmp/f2b.log, then you can filter that client's IP.
if you're not sure why it was blocked, paste the matched log lines somewhere and share the link here so that others can help troubleshoot. Note: you'd better replace sensitive info before pasting, for example, replace the real mail domain name by "mydomain.com", replace real IP address by "x.x.x.x". Just add 1-2 lines to explain what you replaced.

9 Reply by diogogbrandao

  • diogogbrandao
  • Member
  • Offline
  • Registered: 2020-04-16
  • Posts: 5

Re: postfix-fal2ban reject-with icmp-port-unreachable

I've generated the file f2b.log.

There are multiple times when this line repeats itself within an hour:

msg postfix/submission/smtpd[29046]: NOQUEUE: reject: RCPT from XXX-XX-XXX-XXX.dsl.telesp.net.br[XXX.XX.XXX.XXX]: YYY Y.Y.Y <XXX-XX-XXX-XXX.dsl.telesp.net.br[XXX.XX.XXX.XXX]>: Client host rejected: Access denied; from=<abcd@domain.com.br> to=<abcd@domain.com.br> proto=ESMTP helo=<[ZZZ.ZZZ.Z.ZZZ]>

The text with "X" are from an IP adress.
The text with "Y" are from another number which I don't know what it accounts for.
The text with "Z" are from another IP adress.

I think postfix is blocking the IP XXX.XX.XXX.XXX after a number of rejections that happens on the line above.

The e-mail abcd@domain.com.br is sending to itself and postfix is rejecting it.

How to better interpret that line?

How can be an error associated to this process?

Is my suspicion corret? Or what causes the blocking could be in other line?

Thanks in advance!

10 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: postfix-fal2ban reject-with icmp-port-unreachable

it seems this client didn't enable SMTP authentication to send email through port 587.

11 Reply by diogogbrandao

  • diogogbrandao
  • Member
  • Offline
  • Registered: 2020-04-16
  • Posts: 5

Re: postfix-fal2ban reject-with icmp-port-unreachable

But, SMTP Authentication is enabled by default on iRedMail, isn't it?

12 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: postfix-fal2ban reject-with icmp-port-unreachable

diogogbrandao wrote:

But, SMTP Authentication is enabled by default on iRedMail, isn't it?

iRedMail supports smtp authentication and forces all clients to send email with smtp authentication, but the MUA must enable smtp authentication. In your case, it's a MUA side issue.

13 Reply by diogogbrandao

  • diogogbrandao
  • Member
  • Offline
  • Registered: 2020-04-16
  • Posts: 5

Re: postfix-fal2ban reject-with icmp-port-unreachable

What is the MUA you are refering to in that case?

According to my sources is the software that we use to send e-mails.

If we are sending the e-mail from iRedMail to iRedMail, it must be already enabled, the SMTP authentication.

Any idea on how should I proceed?

14 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: postfix-fal2ban reject-with icmp-port-unreachable

diogogbrandao wrote:

According to my sources is the software that we use to send e-mails.

Yes, the software you use to send email, for example, Thunderbird, Outlook, eg. Including webmail (but it's enabled by iRedMail by default).

diogogbrandao wrote:

If we are sending the e-mail from iRedMail to iRedMail, it must be already enabled, the SMTP authentication.

It's a MUA side configuration, not server side.