3

I am trying to change the sender of Fail2ban email notifications to a separate domain.

Inside /etc/fail2ban/jail.local I specify:

sender = no-reply@externaldomain.com
mta = mail

However, when I restart the service, emails are still being sent from root@domain.com

I am using Postfix and configured the relay to use an external domain correctly. Is there anything else I am missing in Fail2ban options?

OscarAkaElvis
  • 5,384
  • 4
  • 27
  • 51
JoaMika
  • 1,727
  • 6
  • 32
  • 61
  • Here is a jail I have setup for SSH `[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-buffered[name=SSH, dest=administrator@domain.com, sender=fail2ban@domain.com, sendername="Fail2Ban"] logpath = /var/log/secure maxretry = 5 bantime = 604800 ` – Stephan Dec 28 '17 at 07:30

1 Answers1

1

Summary

Because you are using mta = mail, the variable sender is not used (by default). You must change some config(s) to make the command use the sender variable.

If you are like me, you read an article like How To Protect an Nginx Server with Fail2Ban on Ubuntu 14.04, which mentions using sendername = Fail2BanAlerts. Perhaps sendername was used in the default actions in past versions, but at least with my version, v0.11.1, neither sender nor sendername are used by the mail actions (they ARE used by the sendmail-* actions, e.g. sendmail-whois-lines.conf). You can change the actions to use the variables, or hard-code values in the actions.

Detail

How to actually send an email is specified (in your case, because you specified mta = mail) in one of the files starting with mail in the /etc/fail2ban/action.d/ dir:

  • mail-buffered.conf
  • mail-whois-common.conf
  • mail-whois-lines.conf
  • mail-whois.conf
  • mail.conf

You didn't say what your action is set to, but let's assume for example that it's configured like this: action = %(action_mwl)s.

In your jail file (e.g. /etc/fail2ban/jail.local), it has something like this:

action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

Note that %(mta)s-whois-lines part at the start of the second line. The %(mta)s is python string interpolation with the mta variable, so it becomes mail-whois-lines. So, you need to edit the file /etc/fail2ban/action.d/mail-whois-lines.conf.

In the file /etc/fail2ban/action.d/mail-whois-lines.conf, there's this:

mailcmd = mail -s

You could hard-code some values here. The mail command (Postfix) needs to use -a to specify headers like From:. So you could do this:

mailcmd = mail -a "From: My Name <myemail@example.com>" -s

Or you could use the sender variable like this:

mailcmd = mail -a "From: <sender>" -s

Extra credit: use sendername variable

If you have this in your jail.local:

sendername = My Name

How do you use that? We first need to update (the second line only of) where we set action_mwl. You can already see that sender is being passed there. Let's add sendername.

action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, sendername="%(sendername)s", sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

Then use it in the action.d/mail-whois-lines.conf:

mailcmd = mail -a "From: <sendername> <<sender>>" -s

We must use double angle brackets around sender because variables require the angle brackets, and the From header itself needs the angle brackets around the email address (if a From name is used).

Tyler Collier
  • 11,489
  • 9
  • 73
  • 80