UFW is blocking mailserver traffic (dovecot, postfix, MariaDB, Rspamd)

Art3mis asked:

As described in the title, I am running a dovecot/postfix/Rspamd Mailservercombo with a MariaDB behind it.

I noticed how, in the last days, I couldn’t receive/send any mail from my e-mail clients anymore. Thunderbird noticed too: It is not possible to connect with the SMTP Server anymore.

The only things I changed around this time are:

  • I added a phpmyadmin access with additional linux user query from the apache2 Server and
  • (on recommendation of a “friend”) installed fail2ban as an additional protection against bruteforce requests against the webservices. I left it on the default settings, only changed the bantime to 1 hr.

Since then I removed and purged fail2ban, sure it was the problem. It wasn’t. (?)

After reading the following output from syslog I traced it back to UFW:

syslog output (masked)

UFW itself has following configuration:

# cat /etc/ufw/user.rules
*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### RULES ###

### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 22 -j ACCEPT

### tuple ### allow tcp 2222 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 2222 -j ACCEPT

### tuple ### allow tcp 25 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 25 -j ACCEPT

### tuple ### allow tcp 465 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 465 -j ACCEPT

### tuple ### allow tcp 587 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 587 -j ACCEPT

### tuple ### allow tcp 143 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 143 -j ACCEPT

### tuple ### allow tcp 993 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 993 -j ACCEPT

### tuple ### allow tcp 4190 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 4190 -j ACCEPT

### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 80 -j ACCEPT

### tuple ### allow tcp 443 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 443 -j ACCEPT

### END RULES ###

### LOGGING ###
-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
### END LOGGING ###

### RATE LIMITING ###
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
### END RATE LIMITING ###
COMMIT

As you can see on the last few entries, it seems to maybe be triggered by ufw-after-logging-input, ufw-after-logging-forward or ufw-logging-deny. However, this is where my ‘knowledge’ ends right now. The only thing I additionaly noticed was that the following line was marked red in the user.rules, but that could just be nothing…

User.rules in the CLI

I re-installed fail2ban to do this:

# fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:   sshd

# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     158
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   112.xxx.xxx.xxx

# fail2ban-client set sshd unbanip 112.xxx.xxx.xxx
112.xxx.xxx.xxx

# fail2ban-client status sshd
[...]
   `- Banned IP list:

I searched through plenty of sites but couldn’t find any useful lead on how to solve this. It really seems to have come from one of the recent changes I made, although I can’t think of anything more than maybe a not deleted rule that may be still around after purging and removing fail2ban.

Some things I also tried in the process of fixing it:
– restarting and stop/starting UFW
– restarting apache2
– restarting dovecot
– looking on Rspamd for event entries on sent test-mails (none were received since the time around the changes I made!)
– using another mailclient
– adding an acceptance rule for Port 25 to UFW (did not change anything)

P.S.: This server is running Ubuntu.

Is there any way to get my setup back to a working state?

My answer:


The UFW config looks correct.

You probably managed to ban your own IP in fail2ban.

Use fail2ban-client status to see which jails are enabled, then fail2ban-client status <jail> to see if your IP address is listed. If you find your IP, you can unban it.

[[email protected] ~]# fail2ban-client status 
Status
|- Number of jail:      1
`- Jail list:   sshd

[[email protected] ~]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 3
|  |- Total failed:     762
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 13
   |- Total banned:     86
   `- Banned IP list:   121.136.181.58 212.224.124.98 65.94.147.197 176.159.245.52 68.32.77.29 112.17.128.44 220.81.48.50 104.210.60.66 104.211.60.207 104.211.46.110 212.64.98.92 59.144.137.186 90.3.202.234

[[email protected] ~]# fail2ban-client set sshd unbanip 203.0.113.187
203.0.113.187

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.