• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Fail2Ban Plesk-Postfix Error

M

Manos_Gk

New Pleskian
I am experiencing a problem with Fail2Ban.
With Plesk-Postfix Jail activated, also ban legitimate IPs! (All IPs uses microsoft outlook as mail client)

Jail Settings:
[plesk-postfix]
enabled = true
filter = postfix-sasl
action = iptables-multiport[name="plesk-postfix", port="smtp,smtps,submission"]
logpath = /var/log/maillog
maxretry = 5
 
Hi Manos_Gk,

please be aware, that the Fail2ban - jails are based on the Fail2Ban - filters they use. It is a wise idea to post both in case of any issue/problem/failure/error.

I add the ( standard filter from your Fail2Ban - package ) used filter ( postfix-sasl ) for you:
Code: 
# Fail2Ban filter for postfix authentication failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix(-\w+)?/(submission/)?smtp(d|s)

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$

ignoreregex = authentication failed: Connection lost to authentication server$

[Init]

journalmatch = _SYSTEMD_UNIT=postfix.service


# Author: Yaroslav Halchenko

As you can see, the regex is quite simple and the task is to ban IP's, which have authentification failures ( "maxretry = 5" is set, so the matching IP's have to have at least 5 authentification failures, before they get a temporary ban ).

To investigate, why an IP has been banned, you should now investigate your mail - logs, to find the IP in question. Afterwards, you should investigate, WHY the authentification failure took place.

Did the client use a wrong password, or did the client probably tried to login with only the username, instead of the full eMail - adress?
Did the client try to use an invalid certificate to authentificate?
What makes you think, that Fail2Ban didn't work as expected, when you compare the mail - log entries for that IP with the Fail2Ban - bans?​
 
You were right, I've checked maillog and found this:
warning: SASL authentication failure: realm changed: authentication aborted
warning: unknown[x.x.x.x]: SASL DIGEST-MD5 authentication failed: authentication failure

I changed it from
<mech_list: DIGEST-MD5 CRAM-MD5 PLAIN LOGIN>
to
<mech_list: CRAM-MD5 PLAIN LOGIN>.

and everything worked fine!!!!

Thanks for your help
 
@Manos_Gk:
I took a bit different approach... rather than disabling DIGEST-MD5 authentication, you could make Fail2Ban ignore just the DIGEST-MD5 failures that Outlook always creates in the server logs when trying to connect.

You can go into
Tools & Settings -> Jails -> Manage Filters -> postfix-sasl
and change the
(?:CRAM|DIGEST)-MD5) to be (?:CRAM|DIGEST-DisabledByAdmin)-MD5)
so Fail2Ban will not ban your SMTP Outlook users but your other users will still be able to take advantage of the more secure DIGEST-MD5 capability your server has.

outlookfix.jpg

You are not alone — thousands of people are having problems with the defective DIGEST-MD5 handling in MS Outlook: http://bit.ly/outlook-breaks-digest-md5
 
Last edited:
You must log in or register to reply here.

Similar threads

E
fail2ban: plesk-wordpress jail is to restrictive
Replies
1
Views
439
Kaspar@Plesk
Kaspar@Plesk
A
Question Fail2Ban capture and ban IP, connection still being made
Replies
8
Views
703
Bitpalast
Bitpalast
P
Input plesk fail2ban missing some important filter rules
Replies
2
Views
930
PeterKi
P
J
Resolved 25: Connection timed out - Almalinux 9.4 x86_64 | 18.0.61.1
Replies
2
Views
682
josemanuuxd
J
U
Resolved fail2ban plesk-postfix jail and filter configuration
Replies
2
Views
2K
ufreier
U
Back
Top