Fail2ban and login_trusted_networks
Aki Tuomi
aki.tuomi at open-xchange.com
Mon Dec 21 14:20:01 EET 2020
Dovecot can log client IP instead of connection IP, when webmail passes this information over using IMAP `ID` command, and webmail server has been added to login_trusted_networks.
The keywords used for this feature are
x-originating-ip
x-originating-port
x-connected-ip
x-connected-port
x-proxy-ttl (hop count)
Aki
> On 21/12/2020 14:12 Tom Hendrikx <tom at whyscream.net> wrote:
>
>
> Hi,
>
> Ideally the webmail has it's own logfile, where it also emits error
> messages containing the ip-address of the failed login attempt. This
> could be as simple as a HTTP 401 error in the nginx/apache logfile on
> the webmail domain. You can then instruct fail2ban to read that logfile
> and disallow access to the webmail for the ip address.
>
> In the end, the attempts try to access the webmail, and not the IMAP
> server directly. So it's better to block access to the webmail/web server.
>
> Kind regards,
> Tom
>
> On 21-12-2020 11:16, Javi Legido wrote:
> > Hi there.
> >
> > First of all many thanks to all the people involved in this project for
> > their time, I really appreciate it.
> >
> > Second my use case:
> >
> > a) Container running Webmail (roundcube) with dovecot-ident plugin
> > enabled
> > <https://github.com/roundcube/roundcubemail/issues/5336#issuecomment-228131074>.
> > b) Container running Dovecot 2.3.4.1 (docker-mailserver-mysql
> > <https://github.com/Kedu-SCCL/docker-mailserver-mysql>) with fail2ban
> > enabled
> >
> > Since I need to add the private IP address of the webmail to
> > "login_trusted_networks" to "...allow to override their IP addresses and
> > ports" I can keep login to webmail even though if the IP is blocked.
> >
> > Question: there's any way to:
> >
> > a) Allow a certain IP range to override it's IP address and ports (as in
> > "login_trusted_networks") but
> > b) Be blocked, as any other incoming connections, by fail2ban?
> >
> > More context. Once the public IP is banned (8.8.8.8 in this example):
> >
> > ```
> > 2020-12-21 10:10:31,371 fail2ban.filter [309]: INFO [dovecot]
> > Found 8.8.8.8 - 2020-12-21 10:10:31
> > 2020-12-21 10:10:39,189 fail2ban.filter [309]: INFO [dovecot]
> > Found 8.8.8.8 - 2020-12-21 10:10:39
> > 2020-12-21 10:10:51,222 fail2ban.filter [309]: INFO [dovecot]
> > Found 8.8.8.8 - 2020-12-21 10:10:51
> > 2020-12-21 10:10:52,008 fail2ban.actions [309]: NOTICE [dovecot]
> > Ban 8.8.8.8
> > ```
> >
> > I can't reach dovecot by telnet from this public IP:
> >
> > ```
> > telnet mail.example.com <http://mail.example.com> 143
> > Trying 9.9.9...
> > telnet: Unable to connect to remote host: Connection refused
> > ```
> >
> > Unless I removed the ban:
> >
> > ```
> > docker exec mail fail2ban-client set dovecot unbanip 8.8.8.8
> > ```
> >
> > Many thanks.
> >
> > Javier
More information about the dovecot
mailing list