Page 1 of 1

SMTP/IMAP issue

Posted: Fri Jan 03, 2020 8:04 am
by zimmer
Hi all,
I'm facing problem with recieving e-mails on app for phones. I'm guesssing that it's more related to dovecot issue but I can't be sure as I can't find that it's banned or blocked.
So, my problem is that sometimes I can recieve e-mails ( depends on internet which I'm using to) for instance, at work wi-fi it works fine, but when I'm switching to Cellular Data I can't update my mailbox. So, I thought that it might be some restriction from mobile operator, but I'm facing the same problem at home wi-fi. I can't find in log's anything about that ( and bit confused.. If you have or had this problem before, please help me. Any suggestion or tips are highly appriciated.

Thanks.

Re: SMTP/IMAP issue

Posted: Mon Jan 06, 2020 7:51 am
by zimmer
The problem was resolved by changing regex configuration of Fail2Ban.

Re: SMTP/IMAP issue

Posted: Mon Jan 06, 2020 8:59 pm
by Elfy
Can you post the regex fix? I'm having similar issues.

Re: SMTP/IMAP issue

Posted: Wed Jan 08, 2020 5:29 am
by zimmer
Elfy wrote:
Mon Jan 06, 2020 8:59 pm
Can you post the regex fix? I'm having similar issues.
Sure, here is my regex config for EXIM and Dovecot:
"exim.conf"

Code: Select all

# Fail2Ban filter for exim
#
# This includes the rejection messages of exim. For spam and filter
# related bans use the exim-spam.conf

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# exim-common.local

before = exim-common.conf

[Definition]

failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
             ^%(pid)s (plain|login) authenticator failed for (\S+ )?\(\S+\) \[<HOST>\]: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
             ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
             ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
             ^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$
             \[<HOST>\]: 535 Incorrect authentication data

ignoreregex = 


# DEV Notes:
# The %(host_info) defination contains a <HOST> match
#
# SMTP protocol synchronization error \([^)]*\)  <- This needs to be non-greedy
# to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is
# user injectable data.
"dovecot.conf"

Code: Select all

# Fail2Ban filter Dovecot authentication and pop3/imap server
# 
[INCLUDES]

before = common.conf

[Definition]

_daemon = (auth|dovecot(-auth)?|auth-worker)

failregex = ^%(__prefix_line)s(pam_unix(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
            ^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((no auth attempts|auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}(, session=<\w+>)?(, TLS( handshaking)?(: Disconnected)?)?\s*$
            ^%(__prefix_line)s(Info|dovecot: auth\(default\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
            (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*

ignoreregex = 

# DEV Notes:
# # * the first regex is essentially a copy of pam-generic.conf
# # * Probably doesn't do dovecot sql/ldap backends properly
# #
Please, let me know if this will fix your issue as well.

Re: SMTP/IMAP issue

Posted: Wed Jan 08, 2020 7:40 pm
by Elfy
I haven't implemented your regexes yet, but I'm pretty confident they will work. I see in my Dovecot logs the following:

Code: Select all

Jan 08 12:17:04 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=XXX.XXX.XXX.XXX, lip=XXX.XXX.XXX.XXX, session=<VV3kvfFC6Eb1>
Jan 08 12:17:04 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=XXX.XXX.XXX.XXX, lip=XXX.XXX.XXX.XXX, session=<1V7lvC6Eb1>
Jan 08 12:17:04 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=XXX.XXX.XXX.XXX, lip=XXX.XXX.XXX.XXX, session=<zjHnvFC6Eb1>
Jan 08 12:17:04 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=XXX.XXX.XXX.XXX, lip=XXX.XXX.XXX.XXX, session=<4G7pvPFC6Eb1>
Jan 08 12:18:01 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=XXX.XXX.XXX.XXX, lip=XXX.XXX.XXX.XXX, session=<+XRHwfJC6Eb1>
Jan 08 12:18:01 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=XXX.XXX.XXX.XXX, lip=XXX.XXX.XXX.XXX, session=<wJxIPJC6Eb1>
Jan 08 12:18:01 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=XXX.XXX.XXX.XXX, lip=XXX.XXX.XXX.XXX, session=<fnbBfJC6Eb1>
Jan 08 12:18:01 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=XXX.XXX.XXX.XXX, lip=XXX.XXX.XXX.XXX, session=<T+JMwKJC6Eb1>
Jan 08 12:18:47 imap(elfy@xxxxxx.com): Info: Disconnected for inactivity in=33 out=824
After these login attempts, Fail2ban does it's job and bans the IP I'm trying to log in from. This happens especially when I'm travelling from network to network. However, it looks like your regex handles this, so I'll give it a try and see if it does the trick. Just the fact that you connected phone and fail2ban really helps get me pointed in the right direction with troubleshooting. So, thanks!