I have a multiserver setup with panel, web, mail and webmail (DNS is not needed for me). All setup with the autoinstaller. I now noticed a problem with the roundcube login. If I supply a wrong password, it takes about 10 seconds showing "Wird geladen" and then I get "Verbindung zum Speicherserver fehlgeschlagen". After that also the login with the correct password does not work. Looking to /var/log/roundcube I do not see much. In errors.log gives: Code: [21-Feb-2022 12:12:55 +0000]: <r8qb6g8e> IMAP Error: Login failed for [email protected] against mail.wwweiss.net from 2003:d0:3717:4700:168:eb3:f735:7c40. Could not connect to ssl://mail.wwweiss.net:993: Connection refused in /usr/share/roundcube/program/lib/Roundcube/rcube_imap.php on line 204 (POST /?_task=login&_action=login) and in imap.log only this: Code: [21-Feb-2022 12:12:52 +0000]: <r8qb6g8e> Connecting to IMAP server attempt:0 [21-Feb-2022 12:12:52 +0000]: <r8qb6g8e> Connecting to IMAP server attempt:1 [21-Feb-2022 12:12:52 +0000]: <r8qb6g8e> Connecting to IMAP server attempt:2 [21-Feb-2022 12:12:52 +0000]: <r8qb6g8e> Connecting to IMAP server attempt:3 [21-Feb-2022 12:12:52 +0000]: <r8qb6g8e> Connecting to IMAP server attempt:4 [21-Feb-2022 12:12:52 +0000]: <r8qb6g8e> Connecting to IMAP server attempt:5 Seems to me like the requesting IP is being blocked directly if the first wrong login comes up. Thus blocking each communication between webmail and mail - already not giving back a good error message. Normally I would expect a quick error message if I supply a wrong login. After waiting about 15 minutes I can login again when supplying the correct password. How can I solve this problem or how to get more debug details.
Check the fail2ban.log file, most likely you get banned by fail2ban. You can e.g. increase the number of retries in fail2ban configuration. And as you have seen in the log, RoundCube seems to do multiple retries in a short period of time, which makes it likely that fail2ban gets triggered (I guess it blocks after 3 false retries).
Thank you for this hint. Indeed fail2ban blocked the internal IP. I don't no much about fail2ban configuration, but I think that in this scenario the local IP (in my case 10.20.30.5) should not be blocked at all. This does not make any sense, because then ONE stupid Roundcube user will kill all others. If we block something here it has do be done on the Webmail server (here we can block the IP from the user). I did not make any configuration on my side until now. So this was set from the autoinstaller. Wouldn't it make sense to chane this?
It would make sense for you to add the webmail server address to the ignore list in fail2ban and block failed logins in the webmail server like you said. I don't know if it would make sense to do that in the autoinstaller, it might, but configuring fail2ban is something you need to do for each specific server, there aren't a lot of one-size-fits-all settings.
Ok, I understand that it might not be possible to get a working default. But maybe you should make a notice that it is important to change the configuration in such a multiserver setup. Still I think there must be another problem with Roundcube. It does not make sense, that roundcube sends 5 login trials so that fail2ban triggers. If the first login trial fails there should immediatedly a message saying something like "Wrong credentials" and not trying again and again. Have you any idea how this can be reached?
I don't know what all roundcube does to try/retry various login methods, but it seems irrelevant, as you don't want your mail server to block off the webmail server, even if it did operate the way you have in mind. I'm sure roundcube presents some message to a client with a wrong password; from there, configure blocking for failed roundcube logins on the roundcube server (eg. you could setup fail2ban on that server to do so).
Thank you for your fast and good support here - though I have seen now that the problem is not related to ISPConfig, it is a problem of roundcube (there was a fix some time ago that changed the behavior, so now it definitly tries 5 times if the login fails). Setting the ignoreip on the mailserver solves the primary problem. Still I think that roundcube should not try so often - but this is something for a roundcube forum. Maybe you can think about adding an additional info regarding ignoreip in the multiserver tutorial. I think there is no situation where it is necessary that the webmail server should be blocked by the mailserver.
