Background
It’s important to double check your server security at all times. We have found two instances where Fail2ban Postfix SASL banning on default installations of Virtualmin on Ubuntu servers do not work. It’s troubling also because at first glance is appears to be working, but only until you deep dive you will discover it’s not. The other worrying bit is Postfix SASL attacks are probably the most common problem on an email server.
Finding the problem is hard because if you /var/log/fail2ban.log it appears banning is taking place. But if you look closely you will see the same IP addresses repeating. The other big clue is in /var/log/mail.log you will see a flurry of activity the whole time.
The commands to reveal if the actual jails are there and what is taking place are:
fail2ban-client status
Once you identify the jail, you can then do
fail2ban-client status postfix-sasl
Fail2ban typically relies on two configuration sections, jail.local and in a file named similar to the jail, e.g. `/etc/fail2ban/filter.d/postfix-sasl.conf`
But we aware, the filter.d file could have a different name depending if a filter directive has been specified in jail.local
Here is a typical jail.local
cat /etc/fail2ban/jail.local ... [postfix-sasl] enabled = true port = smtp,465,submission,imap,imaps,pop3,pop3s maxretry = 2 findtime = 60 bantime = 86400
On fresh Ubuntu 20.04 installations versus fresh fresh Ubuntu 18.04 servers the problems are different. The second part of this article addresses an Ubuntu 18.04 issue where `imap3` instead of imap appears in the jail. For now, on Ubuntu 20.04 this is the solution we implement a new section appending the numeric 2:
cat /etc/fail2ban/jail.local # New aggressive jail, and new pointer to filter [postfix-sasl2] enabled = true port = smtp filter = postfix-sasl2 logpath = /var/log/mail.log maxretry = 2
This file of course reference the new filter postfix-sasl2 which looks like this:
cat /etc/fail2ban/filter.d/postfix-sasl2.conf
# New filter because Postfix SASL filter does not work
#
# Fail2Ban filter for postfix authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/(submission/)?smtp(d|s)
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
ignoreregex =
# Author: Yaroslav Halchenko
Remember to restart fail2ban.
A reference to where this solution was found is at the end of this article.
Ubuntu 18.04
This section addresses a problem on Ubuntu 18.04 and is very specific to an incorrect imap3 problem in the jail.
On a newly installed Virtualmin server, when you tail the /var/log/mail.log, you might note repeated attempt to break through your Postfix SASL authentication. This will confuse you because when you browse to the jails, you will see that postfix-sasl appears to be enabled in [auth] mode.
Symptoms
Fail2ban doesn’t show on the UI when jails are broken. You have to stop and start the service. To see the actual error, service fail2ban restart. At that point lots of message might scroll up complaining about bans, such as the ones below.
ERROR Failed to execute ban jail 'postfix-sasl' action 'firewallcmd-ipset' info 'ActionInfo({'ip': '46.38.150.94', 'family': 'inet4', 'ip-rev': '94.150.38.46.', 'ip-host': None, 'fid': '46.38.150.94', 'failures': 13, 'time': 1594664763.3610485, 'matches':
2020-07-13 20:35:18,461 fail2ban.transmitter [42982]: ERROR Jail 'postfix-sasl' skipped, because of wrong configuration: Unable to read the filter 'postfix-sasl'
generic failure', 'ipfailures': 3243, 'ipjailfailures': 3243})': Error starting action Jail('postfix-sasl')/firewallcmd-ipset
Solution
The solution is to remove imap3 from the Fail2ban configuration for the postfix-sasl jail. This could be in various places, but look here first:
cat /etc/fail2ban/jail.local
The output should be similar to this:
[postfix-sasl] enabled = true port = smtp,465,submission,imap3,imaps,pop3,pop3s maxretry = 2 findtime = 2 bantime = 86400 filter = postfix
Remove the 3 behind imap
On a subsequent start of Fail2ban, you should now see your bans taking effect:
2020-07-13 20:50:04,664 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 212.70.149.35 2020-07-13 20:50:05,300 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.145.247 2020-07-13 20:50:05,311 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.145.248 2020-07-13 20:50:05,320 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.145.250 2020-07-13 20:50:05,329 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.145.251 2020-07-13 20:50:05,339 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.145.252 2020-07-13 20:50:05,356 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.145.254 2020-07-13 20:50:05,366 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.145.5 2020-07-13 20:50:05,379 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.148.10 2020-07-13 20:50:05,393 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.148.2 2020-07-13 20:50:05,403 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.148.6 2020-07-13 20:50:05,415 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.150.142 2020-07-13 20:50:05,428 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.150.153 2020-07-13 20:50:05,440 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.150.188 2020-07-13 20:50:05,450 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.150.190 2020-07-13 20:50:05,464 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.150.191 2020-07-13 20:50:05,474 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.150.193 2020-07-13 20:50:05,487 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.150.203 2020-07-13 20:50:05,505 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.150.37 2020-07-13 20:50:05,521 fail2ban.actions [48288]: NOTICE [postfix-sasl] Restore Ban 46.38.150.94
References
- Ubuntu 20.04 problem
- Reference to Ubuntu 18.04 will be added here at some stage