• The APS Catalog has been deprecated and removed from all Plesk Obsidian versions.
    Applications already installed from the APS Catalog will continue working. However, Plesk will no longer provide support for APS applications.
  • Please be aware: with the Plesk Obsidian 18.0.78 release, the support for the ngx_pagespeed.so module will be deprecated and removed from the sw-nginx package.

Fail2Ban Plesk-Postfix Error

M

Manos_Gk

New Pleskian
I am experiencing a problem with Fail2Ban.
With Plesk-Postfix Jail activated, also ban legitimate IPs! (All IPs uses microsoft outlook as mail client)

Jail Settings:
[plesk-postfix]
enabled = true
filter = postfix-sasl
action = iptables-multiport[name="plesk-postfix", port="smtp,smtps,submission"]
logpath = /var/log/maillog
maxretry = 5
 
Hi Manos_Gk,

please be aware, that the Fail2ban - jails are based on the Fail2Ban - filters they use. It is a wise idea to post both in case of any issue/problem/failure/error.

I add the ( standard filter from your Fail2Ban - package ) used filter ( postfix-sasl ) for you:
Code: 
# Fail2Ban filter for postfix authentication failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix(-\w+)?/(submission/)?smtp(d|s)

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$

ignoreregex = authentication failed: Connection lost to authentication server$

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service


# Author: Yaroslav Halchenko

As you can see, the regex is quite simple and the task is to ban IP's, which have authentification failures ( "maxretry = 5" is set, so the matching IP's have to have at least 5 authentification failures, before they get a temporary ban ).

To investigate, why an IP has been banned, you should now investigate your mail - logs, to find the IP in question. Afterwards, you should investigate, WHY the authentification failure took place.

Did the client use a wrong password, or did the client probably tried to login with only the username, instead of the full eMail - adress?
Did the client try to use an invalid certificate to authentificate?
What makes you think, that Fail2Ban didn't work as expected, when you compare the mail - log entries for that IP with the Fail2Ban - bans?​
 
You were right, I've checked maillog and found this:
warning: SASL authentication failure: realm changed: authentication aborted
warning: unknown[x.x.x.x]: SASL DIGEST-MD5 authentication failed: authentication failure

I changed it from
<mech_list: DIGEST-MD5 CRAM-MD5 PLAIN LOGIN>
to
<mech_list: CRAM-MD5 PLAIN LOGIN>.

and everything worked fine!!!!

Thanks for your help
 
@Manos_Gk:
I took a bit different approach... rather than disabling DIGEST-MD5 authentication, you could make Fail2Ban ignore just the DIGEST-MD5 failures that Outlook always creates in the server logs when trying to connect.

You can go into
Tools & Settings -> Jails -> Manage Filters -> postfix-sasl
and change the
(?:CRAM|DIGEST)-MD5) to be (?:CRAM|DIGEST-DisabledByAdmin)-MD5)
so Fail2Ban will not ban your SMTP Outlook users but your other users will still be able to take advantage of the more secure DIGEST-MD5 capability your server has.

outlookfix.jpg

You are not alone — thousands of people are having problems with the defective DIGEST-MD5 handling in MS Outlook: http://bit.ly/outlook-breaks-digest-md5
 
Last edited:
You must log in or register to reply here.

Similar threads

I
Input Hardening Plesk with AbuseIPDB
Replies
2
Views
2K
iainh
I
wakabayashi
Resolved Fail2Ban - Postfix not working for SASL (bug?)
Replies
4
Views
6K
mizar
mizar
F
Issue Fail2ban error with Almalinux ¿nf_tables?
Replies
1
Views
2K
Fede Marsell
F
B
Issue Plesk 18.0.71 Update 2: Fail2ban fails to ban IPv6 hosts due to wrong address format
Replies
1
Views
1K
B_P
B
G
Resolved Fail2ban plesk-dovecot does not ban bad logins
Replies
3
Views
2K
GwenDragon
G
Back
Top