exim dovecot as virtual machine / behind proxy log actual ip of client

Question

server is exposed to regular dovecot and exim bruteforce attempts, in order to guess valid mail & password.

have written a script that scans logs of wrong ssh logins and blocks the ip for one day

https://dwaves.org/2016/10/25/gnu-linux-iptables-firewall-update-2020-autoban-brute-force-ssh-and-exim-attacks-with-iptables/

but without the proper IP of the client doing the wrong

IP can not be blocked by iptables

how can dovecot / exim be configured, to log the actual IP address of the client that is trying to guess a password?

==> /var/log/exim/main.log <== 
2020-06-26 19:34:48 dovecot_login authenticator failed for (User) [10.0.2.2]: 535 Incorrect authentication data (set_id=phpthumbdebug@domain.com) 
2020-06-26 19:34:48 dovecot_login authenticator failed for (User) [10.0.2.2]: 535 Incorrect authentication data (set_id=h1@domain.com)

found this: lmtp

https://doc.dovecot.org/configuration_manual/protocols/lmtp_server/

and that:

https://wiki2.dovecot.org/HAProxy

and this:

https://doc.dovecot.org/configuration_manual/proxy_settings/

but it's all too complicated X-D

simply would like to have the proper IP client address in the logs

and not 10.0.2.2 (ip of proxy)

can anyone help?

thanks

it is a virtualbox vm, completely hiding behind it's host, the network interface is set to nat, and ports are forwarded a pretty nice feature https://superuser.com/questions/725318/nat-port-forwarding-in-virtualbox — user13226980, Jun 26 '20 at 20:48
Nice if it worked properly and preserved the source address, which apparently it doesn't. Try using something other than VirtualBox. — Michael Hampton, Jun 26 '20 at 20:56
kvm is also great X-D but virtualbox is imho the only virtualization that runs on windows and linux and osx — user13226980, Jul 01 '20 at 20:13

score 1 · Answer 1 · answered Jun 27 '20 at 22:37

the solution had to be searched on the virtualbox side, virtualbox CAN preserve original client IP adress when passing traffic through host NAT:

# shutdown / poweroff vm
VBoxManage modifyvm "vmname" --nataliasmode1 proxyonly

# power on vm again and monitor the logs
# if the real client ip adresses are now being passed on to the vm or not

--nataliasmode<1-N>
default|[log],[proxyonly],[sameports]

: Defines behaviour of the NAT engine core:

log – enables logging
proxyonly – switches off aliasing mode and makes NAT transparent
sameports – enforces the NAT engine to send packets through the same port as they originated on
default – disable all aliasing modes.

See Section 9.8.7, “Configuring Aliasing of the NAT Engine”. https://www.virtualbox.org/manual/UserManual.html#nat-adv-alias

Links:

https://forums.virtualbox.org/viewtopic.php?f=7&t=98804

Hurray! Mailserver vms are now safe again! The world has become a better place. — user13226980, Jun 27 '20 at 22:38

exim dovecot as virtual machine / behind proxy log actual ip of client

1 Answers1