I would like to see the fail2ban PR "Removed the -no auth attempts- from the triggers because of lots of FP #600" incorporated into docker-mailserver. The change does not treat "no auth attempts" in the log file as attack.
Context
I am often banned from my own mailserver, because my mobile phone closes the connection before authenticating. I don't know the exact cause on the client side (although I think switching between WLAN and mobile data connections might be responsible). But this behavior is mentioned in the fail2ban-PR and is the reason for the change.
Expected Behavior
fail2ban should not ban clients that open a connection and close it again before sending authentication information.
Actual Behavior
fail2ban DOES ban clients that open a connection and close it again before sending authentication information.
Possible Fix
docker-mailserver comes with a custom fail2ban-dovecot-filter which overrides the newer upstream version. The file was introduced due to #152. The discussion indicates that the upstream fail2ban-version was buggy at this time and that additional regex were provided. I would suggest to either merge the file with the current upstream version (including the custom filters) or to remove the custom file and use the upstream version again. I am not sure of all the consequences though. The files differ significantly.
Steps to Reproduce
- Run
echo | nc mail.server.address 143 multiple times (10 times)
- The source ip has been banned (but should not have been)
I would like to see the fail2ban PR "Removed the -no auth attempts- from the triggers because of lots of FP #600" incorporated into docker-mailserver. The change does not treat "no auth attempts" in the log file as attack.
Context
I am often banned from my own mailserver, because my mobile phone closes the connection before authenticating. I don't know the exact cause on the client side (although I think switching between WLAN and mobile data connections might be responsible). But this behavior is mentioned in the fail2ban-PR and is the reason for the change.
Expected Behavior
fail2banshould not ban clients that open a connection and close it again before sending authentication information.Actual Behavior
fail2banDOES ban clients that open a connection and close it again before sending authentication information.Possible Fix
docker-mailserver comes with a custom fail2ban-dovecot-filter which overrides the newer upstream version. The file was introduced due to #152. The discussion indicates that the upstream fail2ban-version was buggy at this time and that additional regex were provided. I would suggest to either merge the file with the current upstream version (including the custom filters) or to remove the custom file and use the upstream version again. I am not sure of all the consequences though. The files differ significantly.
Steps to Reproduce
echo | nc mail.server.address 143multiple times (10 times)