Fail2ban and login_trusted_networks

Aki Tuomi aki.tuomi at open-xchange.com
Mon Dec 21 14:20:01 EET 2020 

Dovecot can log client IP instead of connection IP, when webmail passes this information over using IMAP `ID` command, and webmail server has been added to login_trusted_networks.

The keywords used for this feature are

x-originating-ip
x-originating-port
x-connected-ip
x-connected-port
x-proxy-ttl (hop count)

Aki

> On 21/12/2020 14:12 Tom Hendrikx <tom at whyscream.net> wrote:
> 
>  
> Hi,
> 
> Ideally the webmail has it's own logfile, where it also emits error 
> messages containing the ip-address of the failed login attempt. This 
> could be as simple as a HTTP 401 error in the nginx/apache logfile on 
> the webmail domain. You can then instruct fail2ban to read that logfile 
> and disallow access to the webmail for the ip address.
> 
> In the end, the attempts try to access the webmail, and not the IMAP 
> server directly. So it's better to block access to the webmail/web server.
> 
> Kind regards,
> 	Tom
> 
> On 21-12-2020 11:16, Javi Legido wrote:
> > Hi there.
> > 
> > First of all many thanks to all the people involved in this project for 
> > their time, I really appreciate it.
> > 
> > Second my use case:
> > 
> > a) Container running Webmail (roundcube) with dovecot-ident plugin 
> > enabled 
> > <https://github.com/roundcube/roundcubemail/issues/5336#issuecomment-228131074>.
> > b) Container running Dovecot  2.3.4.1 (docker-mailserver-mysql 
> > <https://github.com/Kedu-SCCL/docker-mailserver-mysql>) with fail2ban 
> > enabled
> > 
> > Since I need to add the private IP address of the webmail to 
> > "login_trusted_networks" to "...allow to override their IP addresses and 
> > ports" I can keep login to webmail even though if the IP is blocked.
> > 
> > Question: there's any way to:
> > 
> > a) Allow a certain IP range to override it's IP address and ports (as in 
> > "login_trusted_networks") but
> > b) Be blocked, as any other incoming connections, by fail2ban?
> > 
> > More context. Once the public IP is banned (8.8.8.8 in this example):
> > 
> > ```
> > 2020-12-21 10:10:31,371 fail2ban.filter         [309]: INFO    [dovecot] 
> > Found 8.8.8.8 - 2020-12-21 10:10:31
> > 2020-12-21 10:10:39,189 fail2ban.filter         [309]: INFO    [dovecot] 
> > Found 8.8.8.8 - 2020-12-21 10:10:39
> > 2020-12-21 10:10:51,222 fail2ban.filter         [309]: INFO    [dovecot] 
> > Found 8.8.8.8 - 2020-12-21 10:10:51
> > 2020-12-21 10:10:52,008 fail2ban.actions        [309]: NOTICE  [dovecot] 
> > Ban 8.8.8.8
> > ```
> > 
> > I can't reach dovecot by telnet from this public IP:
> > 
> > ```
> > telnet mail.example.com <http://mail.example.com> 143
> > Trying 9.9.9...
> > telnet: Unable to connect to remote host: Connection refused
> > ```
> > 
> > Unless I removed the ban:
> > 
> > ```
> > docker exec mail fail2ban-client set dovecot unbanip 8.8.8.8
> > ```
> > 
> > Many thanks.
> > 
> > Javier

More information about the dovecot mailing list