docker-mailserver: [BUG] ./setup.sh debug fail2ban does not show banned IPs (RaspberryPi)

./setup.sh debug fail2ban does not show banned IPs for some reason

root@raspberrypi:/etc/mailserver# ./setup.sh debug fail2ban
No IPs have been banned.

However, there are banned IPs actually.

root@raspberrypi:/etc/mailserver# docker exec -it mailserver fail2ban-client status postfix
Status for the jail: postfix
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/var/log/mail.log
`- Actions
   |- Currently banned:	1
   |- Total banned:	1
   `- Banned IP list:	167.***.***.203

When I’m trying to verify iptables rules form inside the container I get the following error

root@mail:/# iptables -S INPUT
iptables v1.8.2 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

However, on my host system iptables works perfectly. RaspberryPi is running on latest Raspbian 10 Buster OS.

My docker-compose.yml

services:
  mailserver:
    container_name: mailserver
    image: docker.io/mailserver/docker-mailserver
    hostname: mail
    domainname: domain.com
    environment:
      - ENABLE_FAIL2BAN=1
      - ENABLE_POP3=1
      - ENABLE_SPAMASSASSIN=1
      - SPAMASSASSIN_SPAM_TO_INBOX=1
      - ENABLE_POSTGREY=1
      - ENABLE_SASLAUTHD=0
      - ONE_DIR=1
      - SSL_TYPE=manual
      - SSL_CERT_PATH=/etc/letsencrypt/live/domain.com/fullchain.pem
      - SSL_KEY_PATH=/etc/letsencrypt/live/domain.com/privkey.pem
    env_file:
      - mailserver.env
    ports:
      - "25:25"
      - "110:110"
      - "143:143"
      - "465:465"
      - "587:587"
      - "993:993"
      - "995:995"
    volumes:
      - ./config/data/maildata:/var/mail
      - ./config/data/mailstate:/var/mail-state
      - ./config/data/maillogs:/var/log/mail
      - ./config:/tmp/docker-mailserver
      - /etc/letsencrypt:/etc/letsencrypt:ro
      - /etc/localtime:/etc/localtime:ro
    cap_add:
      - NET_ADMIN
      - SYS_PTRACE
    restart: unless-stopped

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 15 (9 by maintainers)

Most upvoted comments

I think I already tried everything… Maybe after moving to ip6tables-nft something will change. As for now, I will configure F2B on the host and wait for the new release with NFT included.

Anyway, in my case, F2B on the host is preferable as I have some additional F2B jails monitoring and alerting set up. In the case of internal F2B in the docker container, I will be not able to monitor it natively.

+2
ihor-chaban on Sep 4, 2021

Aha, yes. I misunderstood that. Okay, thanks for the fast reply. Will play around with that and post my results later.

+1
ihor-chaban on Sep 4, 2021

You misunderstand: When you’re using Docker, and you do not drop capabilities manually, these are the capabilities enabled by default: https://dockerlabs.collabnix.com/advanced/security/capabilities/. You’ll see, CAP_NET_RAW is actually enabled by default, but somehow, it seems like not on your Pi. So if you’re already running containers with Docker somewhere else, they have this capability enabled by default. It is strictly required for Fail2Ban / IPtables with our image, and you won’t be able to not provide it to the container and still use F2B / IPTables. You’re change to NFTables could resolve this problem, but until someone provides PR, NET_RAW is required.

+1
georglauterbach on Sep 4, 2021
Read more comments on GitHub
← docker-mailserver: [BUG] rspamd forgets it learned spam and ham when docker-compose down and up is issued
docker-mailserver: [BUG] SpamAssassin cron failing →