Over reactive fail2ban

Hi guys,
I have started having clients contact me after my last server migration to say that some peoples emails are not coming through. i have checked this and sure enough there are particular servers that are being blocked by fail2ban and i can not figure out why.

Can someone explain what fail2ban uses to determine if an IP should be blocked?
I know how to white list IP but i also dont know how many more of the IPs fail2ban is blocking are actually genuine emails.
I have a very large client to migrate over and i have been putting him off because of this issue.

Any light on the subject would be greatly appreciated. or tips to check.
Im mainly interested in seeing if there is something specific causing it. I am using rspamd and can see some emails are being blocked as they should and have whitelisted any that are incorrectly being blocked.

 

OK so the error that shows with the specific IPs that are being blocked is "postfix-sasl" because it's an email coming in.
What logs would tell fail2ban it's a bad IP?
Im guessing the Spam filter? However when I look in there the specific blocked email does not show as having been recieved. So I can't see why it's failing. I

 

/var/log/mail.log (debian based servers)

it'll check that log for the number of failed login attempts.
shouldn't block other mta's based on that though, they should be connecting to port 25 without authentication, so no login failures
possibly the ip is being blocked (or rather mail rejected) due to being on an RBL? should also show that in the same log file.

 

But the blocked IPs are from people trying to send my client an email. It's not blocking my clients IP.

 

Ok thank you for those tips above. i have now checked the mail log and yes... my clients IP is having an issue.
it states :
warning: hostname ip-[client IP].addr.[my ISP] does not resolve to address [client ip]: Name or service not known
im guessing this is where is it running into an issue.

 

and this is regarding the email my client is trying to receive

Feb 16 23:27:03 [myserver] postfix/smtpd[439033]: NOQUEUE: reject: RCPT from mail.[email.sender][email sender IP]: 450 4.7.1 <[email sender domain]>: Helo command rejected: Host not found; from=<email address of sender> to=<[email recipient]> proto=ESMTP helo=<[email sender domain]>

 

Im using rspamd, so could i just disable this in /etc/postfix/main.cf. would it stop blocking it and just let rspamd do its job?

"smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, reject_unknown_helo_hostname, permit"

 

This is what i get when i have the sender send to my gmail account and then run the original email through the rspamd spam scanner.
It passes the tests and has a score of 0.49/20


BAYES_HAM (-3) [100.00%]
HFILTER_HOSTNAME_UNKNOWN (2.5)
DMARC_POLICY_REJECT (2) [gazley.com : No valid SPF, No valid DKIM,reject]
NEURAL_HAM_LONG (-1.999981) [-1.000]
ARC_REJECT (1) [signature check failed: fail, {[1] = sig:google.com:reject}]
DATE_IN_PAST (1) [28]
NEURAL_HAM_SHORT (-0.999929) [-1.000]
MIME_GOOD (-0.1) [multipart/mixed,multipart/related,multipart/alternative,text/plain]
RCVD_NO_TLS_LAST (0.1)
MX_GOOD (-0.01) []
HAS_XOIP (0)
FROM_HAS_DN (0)
FREEMAIL_ENVRCPT (0) [xxxxx]
PREVIOUSLY_DELIVERED (0) [my-gmail account]
HAS_ATTACHMENT (0)
RCPT_COUNT_ONE (0) [1]
RCVD_COUNT_THREE (0) [4]
TO_DN_ALL (0)
FREEMAIL_TO (0) [gmail.com]
FROM_EQ_ENVFROM (0)
R_DKIM_NA (0)
MIME_TRACE (0) [0:+,1:+,2:+,3:+,4:~,5:~,6:~,7:~,8:~,9:+,10:+,11:~,12:~,13:~,14:~,15:~,16:+,17:+,18:~,19:~,20:~]
MID_RHS_MATCH_FROM (0)

 

OK so after spending the last 4 hours trying to find ways around this issue, i have reached a point at which i am willing to "wait and see if it works".
i have disabled "Reject unknown hostnames" found in the ISPconfig console under "Server Config" - "mail".
I will see how this goes. if you think this is a bad idea or if something else i have mentioned may be the cause or be a better option... please let me know.
i will be watching the rspamd history to see what happens and may update later if the issue still exists.

 

the email doesnt hit rspamd. so rspamd doesnt have a chance to do anything with it. from what i can tell, it is being blocked by postfix for not having a valid hostname.

Does this setting in the server config only relate to rspamd or does it relate to postfix?

 

You never want to use hostname rejection like "reject_unknown_helo_hostname". This will reject mails from most automated systems and alot of exchange servers.

Alot of mail servers are still not compliant with RFC 2821, so this will almost certainly reject mails you don't want to reject.

//EDIT: I talk about Section 3.6 in the RFC

 

T

Thank you for that,
are there any others in there that may also be causing a similar issue?
"smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, reject_unknown_helo_hostname, permit"

 

random questing in relation to this... If the sending server only has a v6 IP in the header and im not setup with V6 would this also cause a similar issue?

 

All of them can cause issues sure. But see, i don't do any helo rejections on our main mailserver and let our spamsystem handel the stuff.
However on my privat/small mail server the case is a lot different for example:

But like till said, i would not change the settings as long as there is no complain from a user or you notice that a large amount of valid mails are being blocked by your server.

I wouldn't do it myself on our production machines as our rspamd is heavily customized and works almost perfectly for us. But i considering letting these reject_*_helos enabled on the new machines and decide if i want to use it or not after some live testing.