1 (edited by evenmoreconfused 2022-04-27 00:31:44)

Topic: User Banned After Password Changed

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.5.1
- Deployed with iRedMail Easy or the downloadable installer? installer
- Linux/BSD distribution name and version: Rocky 8.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I've noticed a regular problem that others here presumably have as well:

1. existing user has (e.g.) two desktop clients, smartphone client, and tablet client
2. user changes password on server (or admin does it for them with iRedAdmin) and changes it on one client
3. user's other clients are on same ISP connection and are regularly checking for messages, but fail since they still have the old password
4. fail2ban sees failed logins and blocks the IP for the site
5. user can't even change the password on the other devices because the IP is banned

In fact, since the phone and tablet keep trying to get email and failing, fail2ban keeps the ban rolling over (I think).

The only solution is to turn off all the clients that have the old password and wait for the ban to expire, or to clear the ban manually in the database.

What do others do about this?

Thanks for all help,
Paul

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: User Banned After Password Changed

1. disable wifi on smartphone/tablet/pc
2. change password with iredadmin for user
3. update password on all devices
4. enable wifi

if IP is already banned -> update passwords on all devices -> admin unbans IP

3 (edited by evenmoreconfused 2022-04-27 01:55:07)

Re: User Banned After Password Changed

Thanks for the reply.

That's roughly what I've been doing. But there's got to be an easier way. For one user who kept having this issue I just put a permanent exception in fail2ban. Also sometimes the user doesn't have all the devices available to turn off their wifi, in which case it works fine until they bring that device in the next day and the whole site gets banned again. Not fun.

There must be a better design solution to this.

PS: on at least one client (Bluemail), you can't change the password unless the server accepts it. When you change the client password, it tries to verify it against the server. When it fails, it reverts back to the old one. Arggghh.

PPS: With iOS Mail, it behaves similarly, but if you save it a second time (after it says it failed), it says "This account may not be able to send or receive properly. Are you sure you want to save?". Only then does it actually save the new password.

4

Re: User Banned After Password Changed

fail2ban doen't ban after a single failed login attempts, if the client keeps forceing it even if it knows the password was wrong, then it is just bad design.

5 (edited by evenmoreconfused 2022-04-27 08:34:20)

Re: User Banned After Password Changed

Cthulhu wrote:

fail2ban doen't ban after a single failed login attempts, if the client keeps forceing it even if it knows the password was wrong, then it is just bad design.

Well, I see your point, but it could be argued that the password isn't so much wrong as out of date; these are clients that haven't yet been told the new password.

It would be nice if the clients saw that the error was a bad password and didn't then keep retrying. But they all (Outlook 2019, iOS Mail, and Bluemail for a start) seem to just count it as a soft fail and retry a few minutes later.

However, perhaps they do behave as you suggest and fail2ban isn't being triggered by multiple retries from one client, but rather a single retry from each of the three (in the example above) local clients that haven't yet got the new password.

6

Re: User Banned After Password Changed

it does't count single devices, it counts fails from unique IPs, so if there are 5 devices useing same IP and all of them fail login, then the whole IP will get banned for good reasons

and a client can see if the connection timed out, or if the username/password combination was wrong, so this is just bad design as i already told

the clients need to change their login creds on the devices and then it will stop to fail

7 (edited by evenmoreconfused 2022-04-27 22:31:39)

Re: User Banned After Password Changed

Cthulhu wrote:

it counts fails from unique IPs, so if there are 5 devices useing same IP and all of them fail login, then the whole IP will get banned

Yes, exactly. This is the issue.

Cthulhu wrote:

... will get banned for good reasons

Well, good from the point of view of attempted hacks. But not good when it's a legit user with a legit issue.

Cthulhu wrote:

... the clients need to change their login creds on the devices and then it will stop to fail

But they can't do this while their IP is blocked by fail2ban. They need to wait, or I manually have to clear the block.

--------------

Let's take a real-life example. I have three sisters who live in a large farmhouse in the mountains. They have two shared desktop computers, two laptops, three phones and four tablets. There is also a separate building with a couple of farm workers who have a total of five devices. Almost all of these have at least one client attached to our iRedMail server; some devices have multiple user accounts and thus are attached from multiple instances. Because they are all on one internet connection, they all have the same public IP. So a total of maybe twenty attached clients from this one IP.

If one sister (with a phone, tablet, laptop, and account on two desktops) changes her password on one device, she won't remember to change the password immediately on the other four (she's a farmer, not a tech). In half an hour, fail2ban will have banned the whole IP and five people are on the phone to me.

What makes it worse is that once fail2ban blocks the IP, her attempts to fix her password on the other devices all fail because the client is being ignored (yes, the client should see this issue as a timeout rather than a bad password, but it doesn't report it to her this way. Nor is she qualified to understand the difference and ramifications). Then she thinks she's been typing it in wrong and tries different combinations, and it all goes south from there.

Meanwhile, everyone at the site is locked out, and keeps getting re-locked out every time enough of her attempts fail that the IP is banned again.


PS: obviously this is an extreme case, and I have put an exception in fail2ban for their IP. But I have at least three other user sites with (simpler) variations of this problem.

I'm just wondering if anyone has a clever solution to this problem, which must happen more than just here. Maybe a temporary whitelist in fail2ban, so that one IP would be okay for 24 hours? Or something in dovecot that would still fail attempts to login with old passwords, but log them differently so that fail2ban wouldn't trigger?

Neither of this are clean solutions, but the current mess is bad enough I may have to turn off fail2ban altogether.

8

Re: User Banned After Password Changed

No, there is no way, passwords are encrypted and whitelists would have been via ignoreregex on f2b filters

if it does block 443 and 80 aswell, you can remove those ports so they can still login into webmail and change their passwords on their own

9

Re: User Banned After Password Changed

There's no easy or "clever" solution in your case, because this is how Fail2ban works. sad

10

Re: User Banned After Password Changed

ZhangHuangbin wrote:

There's no easy or "clever" solution in your case, because this is how Fail2ban works. sad

I'm having the same problem. Blocking all users behind a firewall because one user enters the password wrong 3 times is lunacy.

Can fail2ban be turned off, or can the number of attempts before banning be turned higher, or can it un-ban the IP in some period of time, or can it be set to ignore certain IPs?

11 (edited by evenmoreconfused 2023-04-14 08:20:27)

Re: User Banned After Password Changed

tom_jedrzejewicz wrote:
ZhangHuangbin wrote:

There's no easy or "clever" solution in your case, because this is how Fail2ban works. sad

I'm having the same problem. Blocking all users behind a firewall because one user enters the password wrong 3 times is lunacy.

Can fail2ban be turned off, or can the number of attempts before banning be turned higher, or can it un-ban the IP in some period of time, or can it be set to ignore certain IPs?

It’s easy to add an exception in the config (jail.local, in the ignoreip= line) once in a while, as long as you remember to take it out later. And dynamic IPs mean the addresses may change.

Don’t forget to restart the service.