I have two fail2ban jails that deal with postfix: one called postfixsasl and one called postfixauth. They each are looking for different regex matches for triggering bans. It is possible that both of them might be triggered by activity from the same IP address, and that occurs sometimes.
If one of the bans expires before the other one, it seems like the IP address is getting unbanned, even though the second ban is still active.
For example, suppose I run fail2ban-client get postfixauth banip --with-time and I get the the following line within its output (actual IP address dummied out):
aaa.bbb.ccc.ddd 2020-09-28 10:58:24 + 86400 = 2020-09-29 10:58:24
... and suppose I run fail2ban-client get postfixsasl banip --with-time and I get the following output. The same IP address is dummied out in the same way:
aaa.bbb.ccc.ddd 2020-09-28 20:00:37 + 3600 = 2020-09-28 21:00:37
Obviously, the second ban will expire before the first one will. However, it seems like once the second item gets unbanned, the aaa.bbb.ccc.ddd IP address seems to be unbanned, even before the first item's expiration time.
I want the aaa.bbb.ccc.ddd IP address to remain blocked until the latest ban expires, but this is not occurring for me.
Before 21:00:37 on 2020-09-29, the following line appears in the f2b-postfixauth section of iptables -L output:
REJECT all -- aaa.bbb.ccc.ddd anywhere reject-with icmp-port-unreachable
... and the following line appears in the f2b-postfixsasl section of the iptables -L output:
REJECT all -- aaa.bbb.ccc.ddd anywhere reject-with icmp-port-unreachable
After 21:00:37 on 2020-09-29, both lines are gone from the iptables -L output.
Is this expected behavior? Or could it be that there might be something totally unrelated that's wrong with my fail2ban configuration which causes this to occur? If this is not the expected behavior, then I will investigate my fail2ban configuration further.
Thank you very much.
