Dovecot can log client IP instead of connection IP, when webmail passes this information over using IMAP `ID` command, and webmail server has been added to login_trusted_networks.
The keywords used for this feature are x-originating-ip x-originating-port x-connected-ip x-connected-port x-proxy-ttl (hop count) Aki > On 21/12/2020 14:12 Tom Hendrikx <[email protected]> wrote: > > > Hi, > > Ideally the webmail has it's own logfile, where it also emits error > messages containing the ip-address of the failed login attempt. This > could be as simple as a HTTP 401 error in the nginx/apache logfile on > the webmail domain. You can then instruct fail2ban to read that logfile > and disallow access to the webmail for the ip address. > > In the end, the attempts try to access the webmail, and not the IMAP > server directly. So it's better to block access to the webmail/web server. > > Kind regards, > Tom > > On 21-12-2020 11:16, Javi Legido wrote: > > Hi there. > > > > First of all many thanks to all the people involved in this project for > > their time, I really appreciate it. > > > > Second my use case: > > > > a) Container running Webmail (roundcube) with dovecot-ident plugin > > enabled > > <https://github.com/roundcube/roundcubemail/issues/5336#issuecomment-228131074>. > > b) Container running Dovecot 2.3.4.1 (docker-mailserver-mysql > > <https://github.com/Kedu-SCCL/docker-mailserver-mysql>) with fail2ban > > enabled > > > > Since I need to add the private IP address of the webmail to > > "login_trusted_networks" to "...allow to override their IP addresses and > > ports" I can keep login to webmail even though if the IP is blocked. > > > > Question: there's any way to: > > > > a) Allow a certain IP range to override it's IP address and ports (as in > > "login_trusted_networks") but > > b) Be blocked, as any other incoming connections, by fail2ban? > > > > More context. Once the public IP is banned (8.8.8.8 in this example): > > > > ``` > > 2020-12-21 10:10:31,371 fail2ban.filter [309]: INFO [dovecot] > > Found 8.8.8.8 - 2020-12-21 10:10:31 > > 2020-12-21 10:10:39,189 fail2ban.filter [309]: INFO [dovecot] > > Found 8.8.8.8 - 2020-12-21 10:10:39 > > 2020-12-21 10:10:51,222 fail2ban.filter [309]: INFO [dovecot] > > Found 8.8.8.8 - 2020-12-21 10:10:51 > > 2020-12-21 10:10:52,008 fail2ban.actions [309]: NOTICE [dovecot] > > Ban 8.8.8.8 > > ``` > > > > I can't reach dovecot by telnet from this public IP: > > > > ``` > > telnet mail.example.com <http://mail.example.com> 143 > > Trying 9.9.9... > > telnet: Unable to connect to remote host: Connection refused > > ``` > > > > Unless I removed the ban: > > > > ``` > > docker exec mail fail2ban-client set dovecot unbanip 8.8.8.8 > > ``` > > > > Many thanks. > > > > Javier
