docker-mailserver: Can't block Spambots

Subject

I’d like some feedback regarding the Postscreen/Fail2ban configuration.

Description

Hi guys please help me understand what is wrongly configured here with the Postscreen and Fail2ban modules. I’ve attached a log sample. Fail2ban is activated, it just doesn’t kick in to ban the IP’s retrying to connect. I can manually ban these IPs with fail2ban-client so the jails are working, however the ban doesn’t occur automatically after the “maxretry” is reached. So what is going on here?

# CODE GOES HERE
mailserver       | Feb 15 19:31:21 mail postfix/postscreen[10972]: CONNECT from [87.246.7.226]:40982 to [192.168.176.2]:25
mailserver       | Feb 15 19:31:21 mail postfix/postscreen[10972]: cache btree:/var/lib/postfix/postscreen_cache full cleanup: retained=26 dropped=3 entries
mailserver       | Feb 15 19:31:22 mail postfix/dnsblog[10976]: addr 87.246.7.226 listed by domain list.dnswl.org as 127.0.10.3
mailserver       | Feb 15 19:31:22 mail postfix/dnsblog[10975]: addr 87.246.7.226 listed by domain bl.mailspike.net as 127.0.0.2
mailserver       | Feb 15 19:31:22 mail postfix/postscreen[10972]: PASS NEW [87.246.7.226]:40982
mailserver       | Feb 15 19:31:22 mail postfix/smtpd[10984]: warning: hostname net6-ip226.linkbg.com does not resolve to address 87.246.7.226: Name or service not known
mailserver       | Feb 15 19:31:22 mail postfix/smtpd[10984]: connect from unknown[87.246.7.226]
mailserver       | Feb 15 19:31:24 mail dovecot: auth: passwd-file(ns2@blkchaintech.de,87.246.7.226): unknown user (SHA1 of given password: e15e2f)
mailserver       | Feb 15 19:31:26 mail postfix/smtpd[10984]: warning: unknown[87.246.7.226]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mailserver       | Feb 15 19:31:26 mail postfix/smtpd[10984]: disconnect from unknown[87.246.7.226] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
mailserver       | Feb 15 19:32:07 mail postfix/postscreen[10972]: CONNECT from [87.246.7.226]:49306 to [192.168.176.2]:25
mailserver       | Feb 15 19:32:07 mail postfix/postscreen[10972]: PASS OLD [87.246.7.226]:49306
mailserver       | Feb 15 19:32:07 mail postfix/smtpd[10984]: warning: hostname net6-ip226.linkbg.com does not resolve to address 87.246.7.226: Name or service not known
mailserver       | Feb 15 19:32:07 mail postfix/smtpd[10984]: connect from unknown[87.246.7.226]
mailserver       | Feb 15 19:32:11 mail dovecot: auth: passwd-file(darwin@blkchaintech.de,87.246.7.226): unknown user (SHA1 of given password: 0c0655)
mailserver       | Feb 15 19:32:13 mail postfix/smtpd[10984]: warning: unknown[87.246.7.226]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mailserver       | Feb 15 19:32:13 mail postfix/smtpd[10984]: disconnect from unknown[87.246.7.226] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
mailserver       | Feb 15 19:32:54 mail postfix/postscreen[10972]: CONNECT from [87.246.7.226]:57546 to [192.168.176.2]:25
mailserver       | Feb 15 19:32:54 mail postfix/dnsblog[10977]: addr 87.246.7.226 listed by domain bl.mailspike.net as 127.0.0.2
mailserver       | Feb 15 19:32:54 mail postfix/dnsblog[10974]: addr 87.246.7.226 listed by domain list.dnswl.org as 127.0.10.3
mailserver       | Feb 15 19:32:54 mail postfix/postscreen[10972]: PASS OLD [87.246.7.226]:57546
mailserver       | Feb 15 19:32:54 mail postfix/smtpd[10984]: warning: hostname net6-ip226.linkbg.com does not resolve to address 87.246.7.226: Name or service not known
mailserver       | Feb 15 19:32:54 mail postfix/smtpd[10984]: connect from unknown[87.246.7.226]
mailserver       | Feb 15 19:32:59 mail dovecot: auth: passwd-file(net@blkchaintech,87.246.7.226): unknown user (SHA1 of given password: 976950)
mailserver       | Feb 15 19:33:01 mail postfix/smtpd[10984]: warning: unknown[87.246.7.226]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mailserver       | Feb 15 19:38:01 mail postfix/smtpd[10984]: timeout after AUTH from unknown[87.246.7.226]
mailserver       | Feb 15 19:38:01 mail postfix/smtpd[10984]: disconnect from unknown[87.246.7.226] ehlo=1 auth=0/1 rset=1 commands=2/3
mailserver       | Feb 15 19:41:21 mail postfix/anvil[10986]: statistics: max connection rate 2/60s for (smtpd:87.246.7.226) at Feb 15 18:32:07
mailserver       | Feb 15 19:41:21 mail postfix/anvil[10986]: statistics: max connection count 1 for (smtpd:87.246.7.226) at Feb 15 18:31:22
mailserver       | Feb 15 19:41:21 mail postfix/anvil[10986]: statistics: max cache size 1 at Feb 15 18:31:22
[87.246.7.226

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 49 (34 by maintainers)

Most upvoted comments

The edge image now contains fail2ban 0.11.2 🎉

+5
casperklein on May 16, 2021

More than “maxretry” occurrences shouldn’t be allowed tho and that IP had other recurrent events afterwards. Also increasing the “findtime” doesn’t seem to have any effect.

+2
BlockI0tChain on Apr 20, 2021

That’s what I had defined in configs and unfortunately I can’t say since I haven’t changed them, so this needs testing as well.

+1
BlockI0tChain on May 12, 2021

The installation is pretty easy, there is a debian package available: https://github.com/fail2ban/fail2ban/releases/download/0.11.2/fail2ban_0.11.2-1.upstream1_all.deb

+1
casperklein on May 10, 2021

One important aspect I forgot to mention: The regex line in the postscreen.conf: ^%(__prefix_line)saddr <HOST> listed by domain .* as .*$ is problematic since it might ban some legit server if it fails (which happens quite often due to various reasons) to connect after “maxretry” within your set ‘bantime’.
So I’d suggest to maybe leave it out.

+1
BlockI0tChain on May 10, 2021

Thanks!

+1
georglauterbach on May 10, 2021

@casperklein I’ve tested 0.11 on the host and it flawlessly banned all the “auth failures”. I’ve planned to “cook” a custom docker-mailserver image with the 0.11 but haven’t find the time to work on it yet.

@aendeavor It’s hacky but it somehow works, I’ve set “findtime” and the “bantime” to 10d and it seems to did the trick with the “auth failures”, every attempt lead to ban, with only a few failures.
As for the postscreen noise filter I’ve added:

  • a postscreen jail in the /config/fail2ban-jail.cf: [postscreen] enabled = true filter = postscreen logpath = %(postfix_log)s
  • and the filter postscreen.conf in /etc/fail2ban/filter.d/:

And no more clutter in the logs. You can give it a try! Hope it works.

+1
BlockI0tChain on May 10, 2021

I guess that’s what I also meant to convey with the “maxretry” , as in “maxretry” per “findtime”. Problem is that I have changed it to 1d and no ban occurred after 2 or more consecutive auth attempts 😦 I appreciate you taking the time and I’m glad it works fine for you. I’m pretty sure I’ll fix mine as well soon.

On other note I found out why isn’t there any postfix-sasl.conf in filters.d to be found:

So postfix-sasl is already configured with filter = postfix[mode=auth] in “./fail2ban/jail.conf”

As I understand a custom jail would take:

  • a separate config file in “./fail2ban/filter.d/custom_filter.conf” with the basic template:

# Custom Fail2Ban filter configuration [Definition] _daemon = failregex = ignoreregex =

  • and a standard block added to the .config/fail2ban-jail.cf of form:

# Custom Fail2Ban jail configuration [custom-jail] enabled = true filter = custom-filter logpath = maxretry = findtime = bantime =

I’ll give it a go in finding a good postscreen filter. Hope it’ll work.

+1
BlockI0tChain on Apr 20, 2021

I’ve just opened #1821, to track/discuss the further proceeding.

+1
casperklein on Feb 21, 2021

Postscreen/F2B Issue => F2B doesn’t block spambots:

Context

Understood, please have a look at this:

What is affected by this bug?

Mailserver is getting hammered by any prodding spambot. Every connection attempt seems to be logged, however without any reaction whatsoever from the F2B.

When does this occur?

24/7

How do we replicate the issue?

  1. I use the following stack with docker-compose 3.8 :
services:
  #Blk0
    Reverse-Proxy: networks(internet, local)
  #Certbot
     Certbot:networks(local)
  #BLK2
     Frontend0 (nginx-based): networks(local)
     Frontend1 (nginx-based): networks(local
  #Blk3
     Backend0 (debian): networks(local)
     Backend1 (debian): networks(local)
  #Blk4
     Mailserver (docker-mailserver:latest): ports(25,143,587,993,465), env_file(mailserver.env), cap_add(NET_ADMIN, SYS_PTRACE), networks(internet)

   networks: internet(external), local(driver: bridge)
  1. The Reverse Proxy service listen to 80, 443
  2. Mailserver is not behind the Proxy service and listens to: 25, 143, 587, 993, 465"

Behavior

  • un-allowed spambot connections are logged without being banned

Actual Behavior

  • mail info/warning level logs register the spambots connection atempts.

  • f2b won’t jail the bot IP

  • No boot error to mention. F2b creates dovecot, postfix, postfix-sasl, sshd jails.

  • Jails status: active, postfix-sasl contains only the IPs I actively baned using f2b-client.

Expected Behavior

  • after ‘maxretry’ unsuccessful connections, the logged IP should be banned by the F2B

Your Environment

  • added .config/fail2ban-jail.cf with standard configuration
  • docker-compose starts the full stack
  • OS: x86_64 AMI Linux@ec2
  • RAM: 4GB
  • Docker version: 19.03.13-ce

Environment Variables


SPOOF_PROTECTION=1
ENABLE_FAIL2BAN=1
SSL_TYPE=letsencrypt

Relevant Stack Traces

# BEGIN  got lots of this sort:
mailserver       | Feb 15 19:31:21 mail postfix/postscreen[10972]: CONNECT from [87.246.7.226]:40982 to [192.168.176.2]:25
mailserver       | Feb 15 19:31:21 mail postfix/postscreen[10972]: cache btree:/var/lib/postfix/postscreen_cache full cleanup: retained=26 dropped=3 entries
mailserver       | Feb 15 19:31:22 mail postfix/dnsblog[10976]: addr 87.246.7.226 listed by domain list.dnswl.org as 127.0.10.3
mailserver       | Feb 15 19:31:22 mail postfix/dnsblog[10975]: addr 87.246.7.226 listed by domain bl.mailspike.net as 127.0.0.2
mailserver       | Feb 15 19:31:22 mail postfix/postscreen[10972]: PASS NEW [87.246.7.226]:40982
mailserver       | Feb 15 19:31:22 mail postfix/smtpd[10984]: warning: hostname net6-ip226.linkbg.com does not resolve to address 87.246.7.226: Name or service not known
mailserver       | Feb 15 19:31:22 mail postfix/smtpd[10984]: connect from unknown[87.246.7.226]
mailserver       | Feb 15 19:31:24 mail dovecot: auth: passwd-file(ns2@blkchaintech.de,87.246.7.226): unknown user (SHA1 of given password: e15e2f)
mailserver       | Feb 15 19:31:26 mail postfix/smtpd[10984]: warning: unknown[87.246.7.226]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mailserver       | Feb 15 19:31:26 mail postfix/smtpd[10984]: disconnect from unknown[87.246.7.226] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
mailserver       | Feb 15 19:32:07 mail postfix/postscreen[10972]: CONNECT from [87.246.7.226]:49306 to [192.168.176.2]:25
mailserver       | Feb 15 19:32:07 mail postfix/postscreen[10972]: PASS OLD [87.246.7.226]:49306
mailserver       | Feb 15 19:32:07 mail postfix/smtpd[10984]: warning: hostname net6-ip226.linkbg.com does not resolve to address 87.246.7.226: Name or service not known
mailserver       | Feb 15 19:32:07 mail postfix/smtpd[10984]: connect from unknown[87.246.7.226]
mailserver       | Feb 15 19:32:11 mail dovecot: auth: passwd-file(darwin@blkchaintech.de,87.246.7.226): unknown user (SHA1 of given password: 0c0655)
mailserver       | Feb 15 19:32:13 mail postfix/smtpd[10984]: warning: unknown[87.246.7.226]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mailserver       | Feb 15 19:32:13 mail postfix/smtpd[10984]: disconnect from unknown[87.246.7.226] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
mailserver       | Feb 15 19:32:54 mail postfix/postscreen[10972]: CONNECT from [87.246.7.226]:57546 to [192.168.176.2]:25
mailserver       | Feb 15 19:32:54 mail postfix/dnsblog[10977]: addr 87.246.7.226 listed by domain bl.mailspike.net as 127.0.0.2
mailserver       | Feb 15 19:32:54 mail postfix/dnsblog[10974]: addr 87.246.7.226 listed by domain list.dnswl.org as 127.0.10.3
mailserver       | Feb 15 19:32:54 mail postfix/postscreen[10972]: PASS OLD [87.246.7.226]:57546
mailserver       | Feb 15 19:32:54 mail postfix/smtpd[10984]: warning: hostname net6-ip226.linkbg.com does not resolve to address 87.246.7.226: Name or service not known
mailserver       | Feb 15 19:32:54 mail postfix/smtpd[10984]: connect from unknown[87.246.7.226]
mailserver       | Feb 15 19:32:59 mail dovecot: auth: passwd-file(net@blkchaintech,87.246.7.226): unknown user (SHA1 of given password: 976950)
mailserver       | Feb 15 19:33:01 mail postfix/smtpd[10984]: warning: unknown[87.246.7.226]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
mailserver       | Feb 15 19:38:01 mail postfix/smtpd[10984]: timeout after AUTH from unknown[87.246.7.226]
mailserver       | Feb 15 19:38:01 mail postfix/smtpd[10984]: disconnect from unknown[87.246.7.226] ehlo=1 auth=0/1 rset=1 commands=2/3
mailserver       | Feb 15 19:41:21 mail postfix/anvil[10986]: statistics: max connection rate 2/60s for (smtpd:87.246.7.226) at Feb 15 18:32:07
mailserver       | Feb 15 19:41:21 mail postfix/anvil[10986]: statistics: max connection count 1 for (smtpd:87.246.7.226) at Feb 15 18:31:22
mailserver       | Feb 15 19:41:21 mail postfix/anvil[10986]: statistics: max cache size 1 at Feb 15 18:31:22
# END
+1
BlockI0tChain on Feb 18, 2021
Read more comments on GitHub
← docker-mailserver: cannot update mailbox /var/mail/amavis for user amavis. destination /var/mail/amavis is not owned by recipient
docker-mailserver: Can't login mail server with ldap →