Aug 5, 2024: iRedMail-1.7.1 has been released.

**darth_wells** · 2024-11-22 00:06:14

darth_wells
Member
Offline

Registered: 2011-10-07
Posts: 80

Topic: postfix-iredmail

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
1.70
MySQL
Nginx
iRedAdmin-Pro - Yes

We have a client triggering the FAIL2BAN postfix-iredmail and getting banned.

I have looked in the /var/log/mail.log, and I can't find out why the
trigger is happening.

Thanks,

ABN

/var/log/mail.log
warning: hostname 173-165-103-33-Illinois.hfc.comcastbusiness.net does not resolve to address 173.165.103.33

root@nm2:~# cat /var/log/syslog | grep 173.165.103.33 | grep -i fail2ban
Nov 21 09:06:08 nm2 fail2ban.filter[664]: INFO [postfix-iredmail] Found 173.165.103.33 - 2024-11-21 09:06:08
Nov 21 09:06:26 nm2 fail2ban.filter[664]: INFO [postfix-iredmail] Found 173.165.103.33 - 2024-11-21 09:06:26
Nov 21 09:06:48 nm2 fail2ban.filter[664]: INFO [postfix-iredmail] Found 173.165.103.33 - 2024-11-21 09:06:48
Nov 21 09:07:04 nm2 fail2ban.filter[664]: INFO [postfix-iredmail] Found 173.165.103.33 - 2024-11-21 09:07:04
Nov 21 09:07:22 nm2 fail2ban.filter[664]: INFO [postfix-iredmail] Found 173.165.103.33 - 2024-11-21 09:07:22
Nov 21 09:07:22 nm2 fail2ban.actions[664]: NOTICE [postfix-iredmail] Ban 173.165.103.33

Is not find hostname enough to trigger ban?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

**ZhangHuangbin** · 2024-11-22 11:10:26

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,121

Re: postfix-iredmail

You can use "fail2ban-regex" command to get matched log lines.

**darth_wells** · 2024-11-23 09:01:09

darth_wells
Member
Offline

Registered: 2011-10-07
Posts: 80

Re: postfix-iredmail

ZhangHuangbin wrote:

You can use "fail2ban-regex" command to get matched log lines.

Its getting banned due to "lost connection after AUTH from " error

why is the first connection to the server dropping and the second connection working?

/var/log/mail.log

1st connection
Nov 22 15:45:44 nm2 postfix/smtpd[21256]: connect from 173-165-103-33-Illinois.hfc.comcastbusiness.net[173.165.103.33]
Nov 22 15:45:45 nm2 postfix/smtpd[21256]: Anonymous TLS connection established from 173-165-103-33-illinois.hfc.comcastbusiness.net[173.165.103.33]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov 22 15:45:45 nm2 postfix/smtpd[21256]: lost connection after AUTH from 173-165-103-33-Illinois.hfc.comcastbusiness.net[173.165.103.33]
Nov 22 15:45:45 nm2 postfix/smtpd[21256]: disconnect from 173-165-103-33-Illinois.hfc.comcastbusiness.net[173.165.103.33] ehlo=1 auth=1 commands=2

2nd connection
Nov 22 15:45:45 nm2 postfix/smtpd[21256]: connect from 173-165-103-33-Illinois.hfc.comcastbusiness.net[173.165.103.33]
Nov 22 15:45:45 nm2 postfix/smtpd[21256]: Anonymous TLS connection established from 173-165-103-33-illinois.hfc.comcastbusiness.net[173.165.103.33]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov 22 15:45:45 nm2 postfix/smtpd[21256]: 4Xw7vF46NFzlpmxd: client=173-165-103-33-Illinois.hfc.comcastbusiness.net[173.165.103.33], sasl_method=LOGIN, sasl_username=john@johndoe.com
Nov 22 15:45:45 nm2 amavis[1390]: (01390-14) Passed CLEAN {RelayedOutbound}, LOCAL [173.165.103.33]:52208 [173.165.103.33] <john@johndoe.com> -> <test@electric.com>, Queue-ID: 4Xw7vF46NFzlpmxd, Message-ID: <UEFLM1lKTiQwO15KM1kvLTc1MDYwMzkzNw@office-14a>, mail_id: uN5oLbVvntSu, Hits: -, size: 863, queued_as: 4Xw7vF5S3Nzlpmxk, dkim_new=dkim:johndoe.com, 139 ms
Nov 22 15:45:46 nm2 postfix/smtpd[21256]: disconnect from 173-165-103-33-Illinois.hfc.comcastbusiness.net[173.165.103.33] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
Nov 22 15:49:44 nm2 postfix/anvil[20336]: statistics: max connection rate 4/60s for (smtps:173.165.103.33) at Nov 22 15:45:11

I tried changing the ciphers

**ZhangHuangbin** · 2024-11-25 10:46:23

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,121

Re: postfix-iredmail

darth_wells wrote:

why is the first connection to the server dropping and the second connection working?

Client may not sent complete smtp commands.

Aug 5, 2024: iRedMail-1.7.1 has been released.

postfix-iredmail

Posts: 4

1 Topic by darth_wells 2024-11-22 00:06:14 (edited by darth_wells 2024-11-22 05:04:08)

Topic: postfix-iredmail

2 Reply by ZhangHuangbin 2024-11-22 11:10:26

Re: postfix-iredmail

3 Reply by darth_wells 2024-11-23 09:01:09

Re: postfix-iredmail

4 Reply by ZhangHuangbin 2024-11-25 10:46:23

Re: postfix-iredmail

Posts: 4