1

Topic: f2ban/iptables keeps banning a NAT address

==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
======== Required information ====
- iRedMail version (check /etc/iredmail-release): .096
- Linux/BSD distribution name and version: Ubuntu 16.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Apache
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====


I have an iRedMail server external to my network, and all of my hosts are NAT'd behind a firewall.  All of the hosts inside the network can resolve the host name of the external mail server and use it for mail transactions. 
I think what is happening is I have multiple hosts connecting for inbound/outbound  emails and when the mail transactions overlap on postfix on the iRedmail server, (maybe too many hits per minute?)  which causes the email to be dropped and eventually fail2ban activates on the postifx jail for the public IP address for the network.  I see issues in the logs where there are complaints about  hoist names not resolving too.   

I have poked around the forum but I don't see anyone talking about this type of setup.
I assume everyone else doing this is doing a local DMZ and can allow the iRedMail access to the local DNS - in this case the iRedMail server is offsite and can't gain access to the local DNS.

Is the best option to run the mail server inside the network and allow SMTP traffic through the firewall, or run on a locla DMZ with access to the local DNS?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: f2ban/iptables keeps banning a NAT address

You have to whitelist the IP of firewall in /etc/fail2ban/jail.local, in parameter "ignoreip =".

3

Re: f2ban/iptables keeps banning a NAT address

ZhangHuangbin wrote:

You have to whitelist the IP of firewall in /etc/fail2ban/jail.local, in parameter "ignoreip =".


I did.
First IP address after 127.0.0.1.

ignoreip    = 127.0.0.1 NNN.NNN.NNN.NNN 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

The IP shows up in the f2b-postfix Chain -- that chain has duplicate entries, whereas the others do not.
Is that normal?

Chain f2b-dovecot (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain f2b-postfix (2 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain f2b-roundcube (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain f2b-sshd (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0        

4

Re: f2ban/iptables keeps banning a NAT address

It's ok. Does it work for you now?

5

Re: f2ban/iptables keeps banning a NAT address

ZhangHuangbin wrote:

It's ok. Does it work for you now?

No.  It continues to periodically ban the primary domain IP address.

The Iredmail server sits outside the primary physical network, and all of the internal physical systems are NAT'd behind one (and recently several more) static addresses.  I have made sure that _all_ of our static IP addresses are listed in the jail.local file for fail2ban.  Other than the entries in the logs saying the IP is being banned, I don't see why it's happening, unless fail2ban is somehow expectng to be able to do forward and revers lookups on every short name it gets.

6

Re: f2ban/iptables keeps banning a NAT address

- Could you show us full /etc/fail2ban/jail.local? If you have all static addresses listed in "ignoreip", it should be fine. so i'm confused now.
- When one of your static IPs banned in fail2ban, are you sure it's one of the addresses listed in "ignoreip"? sometimes we may type wrong addresses, or calculated the incorrect network range.