Yeah I think I figured it out. It looks like someone set up their phone with bad password and when they got on the WiFi network it got everyone else on the network banned for 10 min. I’ve whitelisted the ip for now. I think the guy was traveling between different offices making it look like it wasn’t isolated to a single network.
On Jan 22, 2024, at 6:15 PM, Michael Grant mgrant@grant.org wrote:
On Mon, Jan 22, 2024 at 04:28:09PM -0500, Steve Dondley via dovecot wrote:
OK, I was chasing log ghosts. What was actually going on was fail2ban was kicking on for users and banning them for 10 min.
I have no idea what is triggering it for so many different users from legit email addresses. Still investigating. But this appears to be a fail2ban problem, not a dovecot problem.
Oh you have my sympathies. fail2ban-client banned ipaddr. Get the ip addr of your users and see if they're banned like th is. Then use fail2ban-client unban. I can't tell you how often this happens to me.
What happens is users have phones and laptops and they then add a tablet and want their email on it so they end up messing up their password on their tablet, or worse, resetting their password in order to get mail on their tablet and then it screws up the other devices and it's an absolute nightmare to continually debug. It happens to multiple users who are at the same address, as in, my parents because they're all behind the same address in the router. It happens to multiple people who use New Outlook which insists on sucking all the mail into Microsoft's servers and then one user bans a swatch of addrs of those servers and random things break everywhere. I ended up whitelisting all of microsoft's mail servers in my jail.local:
40.80.0.0/12 40.74.0.0/15 40.120.0.0/14 40.125.0.0/17 40.76.0.0/14 40.96.0.0/12 40.124.0.0/16 40.112.0.0/13
Hope this helps. I have been there so many times and it's a regular occurance in my tech life chasing these ghosts.
Michael Grant