0

As described in the title, I am running a dovecot/postfix/Rspamd Mailservercombo with a MariaDB behind it.

I noticed how, in the last days, I couldn't receive/send any mail from my e-mail clients anymore. Thunderbird noticed too: It is not possible to connect with the SMTP Server anymore.

The only things I changed around this time are:

  • I added a phpmyadmin access with additional linux user query from the apache2 Server and
  • (on recommendation of a "friend") installed fail2ban as an additional protection against bruteforce requests against the webservices. I left it on the default settings, only changed the bantime to 1 hr.

Since then I removed and purged fail2ban, sure it was the problem. It wasn't. (?)

After reading the following output from syslog I traced it back to UFW:

syslog output (masked)

UFW itself has following configuration:

# cat /etc/ufw/user.rules
*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### RULES ###

### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 22 -j ACCEPT

### tuple ### allow tcp 2222 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 2222 -j ACCEPT

### tuple ### allow tcp 25 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 25 -j ACCEPT

### tuple ### allow tcp 465 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 465 -j ACCEPT

### tuple ### allow tcp 587 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 587 -j ACCEPT

### tuple ### allow tcp 143 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 143 -j ACCEPT

### tuple ### allow tcp 993 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 993 -j ACCEPT

### tuple ### allow tcp 4190 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 4190 -j ACCEPT

### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 80 -j ACCEPT

### tuple ### allow tcp 443 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 443 -j ACCEPT

### END RULES ###

### LOGGING ###
-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
### END LOGGING ###

### RATE LIMITING ###
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
### END RATE LIMITING ###
COMMIT

As you can see on the last few entries, it seems to maybe be triggered by ufw-after-logging-input, ufw-after-logging-forward or ufw-logging-deny. However, this is where my 'knowledge' ends right now. The only thing I additionaly noticed was that the following line was marked red in the user.rules, but that could just be nothing...

User.rules in the CLI

I re-installed fail2ban to do this:

# fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:   sshd

# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     158
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   112.xxx.xxx.xxx

# fail2ban-client set sshd unbanip 112.xxx.xxx.xxx
112.xxx.xxx.xxx

# fail2ban-client status sshd
[...]
   `- Banned IP list:

/var/log/auth.log lists many of this kind of entries, all from the SAME IP:

Jun 25 19:56:51 mail sshd[26691]: Connection closed by 112.xxx.xxx.xxx port 60391 [preauth]
Jun 25 19:56:52 mail sshd[26693]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.xxx.xxx.xxx  user=root
Jun 25 19:56:54 mail sshd[26693]: Failed password for root from 112.xxx.xxx.xxx port 64328 ssh2
Jun 25 19:56:54 mail sshd[26693]: Connection closed by authenticating user root 112.xxx.xxx.xxx port 64328 [preauth]
Jun 25 19:57:03 mail sshd[26697]: Connection closed by 112.xxx.xxx.xxx port 50264 [preauth]

This can't be me as I am never logging in with root.

I searched through plenty of sites but couldn't find any useful lead on how to solve this. It really seems to have come from one of the recent changes I made, although I can't think of anything more than maybe a not deleted rule that may be still around after purging and removing fail2ban.

Some things I also tried in the process of fixing it: - restarting and stop/starting UFW - restarting apache2 - restarting dovecot - looking on Rspamd for event entries on sent test-mails (none were received since the time around the changes I made!) - using another mailclient - adding an acceptance rule for Port 25 to UFW (did not change anything)

P.S.: This server is running Ubuntu.

Is there any way to get my setup back to a working state?

Art3mis
  • 1
  • 4

2 Answers2

0

The UFW config looks correct.

You probably managed to ban your own IP in fail2ban.

Use fail2ban-client status to see which jails are enabled, then fail2ban-client status <jail> to see if your IP address is listed. If you find your IP, you can unban it.

[root@localhost ~]# fail2ban-client status 
Status
|- Number of jail:      1
`- Jail list:   sshd

[root@localhost ~]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 3
|  |- Total failed:     762
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 13
   |- Total banned:     86
   `- Banned IP list:   121.136.181.58 212.224.124.98 65.94.147.197 176.159.245.52 68.32.77.29 112.17.128.44 220.81.48.50 104.210.60.66 104.211.60.207 104.211.46.110 212.64.98.92 59.144.137.186 90.3.202.234

[root@localhost ~]# fail2ban-client set sshd unbanip 203.0.113.187
203.0.113.187
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • I installed fail2ban again to test it out and `apt remove fail2ban --purge` afterwards. I added the results to the initial question for better readability. Sadly no change in the errors. – Art3mis Jun 25 '19 at 17:50
0

I now seem, after many tries, to have fixed my problem. Some hints to solve this:

No, it has nothing to do with those UFW-Blocks. First off, check if you are working with the correct service names! I forgot that, because of a bug, I startet postfix with another servicename than you would normally.

You can propably see if you have the wrong servicename by comparing if this part of systemctl status <servicename>.service is identical on your server:

   CGroup: /system.slice/system-postfix.slice/<servicename>.service
           ├─5832 /usr/lib/postfix/sbin/master -w
           ├─5833 pickup -l -t unix -u -c
           └─5834 qmgr -l -t unix -u

My wrong service had only on CGroup under it's name.

After having the right servicename I could find the problem really quick as systemctl status <servicename>.service now put out proper error messages:

Jun 26 18:32:40 mail postmulti[6814]: /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: mua_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
Jun 26 18:32:40 mail postmulti[6814]: /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: mua_sender_restrictions=permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
Jun 26 18:32:40 mail postmulti[6814]: /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: mua_relay_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject

These are the result of a wrong main.cf and master.cf configuration. Both configs depend on each other, if you copy/paste you'll need both from one single source!

I also got the following errors, which hint on a missing (or in my case damaged) implementation of the postfix-mysql packet. Just apt-get remove postfix-mysql and apt-get install postfix-mysql afterwards.

Jun 26 18:20:41 mail postfix/submission/smtpd[6252]: error: unsupported dictionary type: mysql
Jun 26 18:20:41 mail postfix/submission/smtpd[6252]: message repeated 3 times: [ error: unsupported dictionary type: mysql]
Jun 26 18:20:41 mail postfix/submission/smtpd[6252]: fatal: in parameter smtpd_relay_restrictions or smtpd_recipient_restrictions, specify at least one working instance of: reject_unauth_destination, defer_unauth_destination, reject, defer, defer_if_permit or check_relay_domains
Jun 26 18:20:42 mail postfix/master[5832]: warning: process /usr/lib/postfix/sbin/smtpd pid 6252 exit status 1
Jun 26 18:20:42 mail postfix/master[5832]: warning: /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling

Another thing that could've done the trick is redoing the mysql user. I first added the user to the mysqldb by accessing the server with root on the commandline and entering grant select on dbname.* to 'username'@'localhost' identified by 'verystrongpassword';. I deleted that user now, replacing it with one I added with phpmyadmin and explicitly adding it to 'username'@'%' instead of 'username'@'localhost'.

One last thing I learned from this - if you add new packages to your server, check if there are dependencies that maybe interfere or would replace an already configured service. (sendmail could also be one of the problems that stopped my postfix server, sadly I can't confirm this after all of the other attempts)

Art3mis
  • 1
  • 4