• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Fail2Ban Plesk-Postfix Error

M

Manos_Gk

New Pleskian
I am experiencing a problem with Fail2Ban.
With Plesk-Postfix Jail activated, also ban legitimate IPs! (All IPs uses microsoft outlook as mail client)

Jail Settings:
[plesk-postfix]
enabled = true
filter = postfix-sasl
action = iptables-multiport[name="plesk-postfix", port="smtp,smtps,submission"]
logpath = /var/log/maillog
maxretry = 5
 
Hi Manos_Gk,

please be aware, that the Fail2ban - jails are based on the Fail2Ban - filters they use. It is a wise idea to post both in case of any issue/problem/failure/error.

I add the ( standard filter from your Fail2Ban - package ) used filter ( postfix-sasl ) for you:
Code: 
# Fail2Ban filter for postfix authentication failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix(-\w+)?/(submission/)?smtp(d|s)

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$

ignoreregex = authentication failed: Connection lost to authentication server$

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service


# Author: Yaroslav Halchenko

As you can see, the regex is quite simple and the task is to ban IP's, which have authentification failures ( "maxretry = 5" is set, so the matching IP's have to have at least 5 authentification failures, before they get a temporary ban ).

To investigate, why an IP has been banned, you should now investigate your mail - logs, to find the IP in question. Afterwards, you should investigate, WHY the authentification failure took place.

Did the client use a wrong password, or did the client probably tried to login with only the username, instead of the full eMail - adress?
Did the client try to use an invalid certificate to authentificate?
What makes you think, that Fail2Ban didn't work as expected, when you compare the mail - log entries for that IP with the Fail2Ban - bans?​
 
You were right, I've checked maillog and found this:
warning: SASL authentication failure: realm changed: authentication aborted
warning: unknown[x.x.x.x]: SASL DIGEST-MD5 authentication failed: authentication failure

I changed it from
<mech_list: DIGEST-MD5 CRAM-MD5 PLAIN LOGIN>
to
<mech_list: CRAM-MD5 PLAIN LOGIN>.

and everything worked fine!!!!

Thanks for your help
 
@Manos_Gk:
I took a bit different approach... rather than disabling DIGEST-MD5 authentication, you could make Fail2Ban ignore just the DIGEST-MD5 failures that Outlook always creates in the server logs when trying to connect.

You can go into
Tools & Settings -> Jails -> Manage Filters -> postfix-sasl
and change the
(?:CRAM|DIGEST)-MD5) to be (?:CRAM|DIGEST-DisabledByAdmin)-MD5)
so Fail2Ban will not ban your SMTP Outlook users but your other users will still be able to take advantage of the more secure DIGEST-MD5 capability your server has.

outlookfix.jpg

You are not alone — thousands of people are having problems with the defective DIGEST-MD5 handling in MS Outlook: http://bit.ly/outlook-breaks-digest-md5
 
Last edited:
You must log in or register to reply here.

Similar threads

wakabayashi
Resolved Fail2Ban - Postfix not working for SASL (bug?)
Replies
4
Views
2K
mizar
mizar
F
Issue Fail2ban error with Almalinux ¿nf_tables?
Replies
1
Views
710
Fede Marsell
F
J
fail2ban: plesk-wordpress jail is to restrictive
Replies
1
Views
6K
Kaspar@Plesk
Kaspar@Plesk
A
Question Fail2Ban capture and ban IP, connection still being made
Replies
8
Views
2K
Bitpalast
Bitpalast
P
Input plesk fail2ban missing some important filter rules
Replies
2
Views
2K
PeterKi
P
Back
Top