Dovecot can log client IP instead of connection IP, when webmail passes this
information over using IMAP `ID` command, and webmail server has been added to
login_trusted_networks.
The keywords used for this feature are
x-originating-ip
x-originating-port
x-connected-ip
x-connected-port
x-proxy-ttl (hop count)
Aki
> On 21/12/2020 14:12 Tom Hendrikx <tom at whyscream.net> wrote:
>
>
> Hi,
>
> Ideally the webmail has it's own logfile, where it also emits error
> messages containing the ip-address of the failed login attempt. This
> could be as simple as a HTTP 401 error in the nginx/apache logfile on
> the webmail domain. You can then instruct fail2ban to read that logfile
> and disallow access to the webmail for the ip address.
>
> In the end, the attempts try to access the webmail, and not the IMAP
> server directly. So it's better to block access to the webmail/web
server.
>
> Kind regards,
> Tom
>
> On 21-12-2020 11:16, Javi Legido wrote:
> > Hi there.
> >
> > First of all many thanks to all the people involved in this project
for
> > their time, I really appreciate it.
> >
> > Second my use case:
> >
> > a) Container running Webmail (roundcube) with dovecot-ident plugin
> > enabled
> >
<https://github.com/roundcube/roundcubemail/issues/5336#issuecomment-228131074>.
> > b) Container running Dovecot? 2.3.4.1 (docker-mailserver-mysql
> > <https://github.com/Kedu-SCCL/docker-mailserver-mysql>) with
fail2ban
> > enabled
> >
> > Since I need to add the private IP address of the webmail to
> > "login_trusted_networks" to "...allow to override their
IP addresses and
> > ports" I can keep login to webmail even though if the IP is
blocked.
> >
> > Question: there's any way to:
> >
> > a) Allow a certain IP range to override it's IP address and ports
(as in
> > "login_trusted_networks") but
> > b) Be blocked, as any other incoming connections, by fail2ban?
> >
> > More context. Once the public IP is banned (8.8.8.8 in this example):
> >
> > ```
> > 2020-12-21 10:10:31,371 fail2ban.filter ? ? ? ? [309]: INFO ?
?[dovecot]
> > Found 8.8.8.8 - 2020-12-21 10:10:31
> > 2020-12-21 10:10:39,189 fail2ban.filter ? ? ? ? [309]: INFO ?
?[dovecot]
> > Found 8.8.8.8 - 2020-12-21 10:10:39
> > 2020-12-21 10:10:51,222 fail2ban.filter ? ? ? ? [309]: INFO ?
?[dovecot]
> > Found 8.8.8.8 - 2020-12-21 10:10:51
> > 2020-12-21 10:10:52,008 fail2ban.actions ? ? ? ?[309]: NOTICE
?[dovecot]
> > Ban 8.8.8.8
> > ```
> >
> > I can't reach dovecot by telnet from this public IP:
> >
> > ```
> > telnet mail.example.com <http://mail.example.com> 143
> > Trying 9.9.9...
> > telnet: Unable to connect to remote host: Connection refused
> > ```
> >
> > Unless I removed the ban:
> >
> > ```
> > docker exec mail fail2ban-client set dovecot unbanip 8.8.8.8
> > ```
> >
> > Many thanks.
> >
> > Javier