Mailcow-dockerized: Dynamic fail2ban whitelisting

We can make this optional.

I think we could drop traffic to the mailcow network. Dropping a brute force attack on the web interface would still drop traffic to 80/443 after all.

You should really fix this problem on the client side. :-/ Or whitelist them.

The reason why this happens is that we add rules to both the INPUT and the FORWARD chain. The former has the side effect you mention, but that is intended so that fail2ban also applies to a reverse proxy.

🤔 I wonder if it's somehow possible for fail2ban to act only on the mailcow containers, instead of blocking literally everything (all containers and all servers outside of docker)?

Why would you want someone who repeatedly enters wrong passwords to be able to access your website? They most likely are not a user or customer, but rather someone nefarious trying to guess a password.

@mkuron As I explained in my first comment, this situation happens in a company's office (we're talking about ~100 people). Statistically speaking the "I forgot my password and I tried 5 times in a row" situation can happen (and happens) several times per day.

It's not unreasonable to want to NOT block the web access to all users in the company just because one person wrote the incorrect password 5 times in a row.

In that case, the reasonable thing to do is to whitelist your company network.

You'd still be banning everyone from email if the ban didn't apply to INPUT as you requested.

@mkuron I thought about that, but the office doesn't have a static IP. I'm open to other suggestions. (Not No-IP, DynDNS and stuff like that, please).

Can bans be applied via API? Because that can solve the issue.

You need to whitelist them. What else do you want to happen? Give an attacker the chance to try on port 80, then 443, then 587, then 465, then 110 etc.? That doesn't sound very reasonable. We could make this optional, but it will not solve your problem, I'm afraid.

@EnriqCG - no, the failed attempts are written to a Redis channel, where netfilter-mailcow watches for patterns.

You can solve this by disabling netfilter-mailcow and parse the Docker logs yourself. You can then decide what exactly should happen. :-)

The API is still incomplete (#1374), but you might be able to figure out how to whitelist addresses.
Whitelisting really is the only reasonable solution to your problem.

If a mail client gets configured with a wrong password it tries again and again. Finally the IP gets blocked and it is quite inconvenient when your server gets blocked and you have no chance to unban neither via website nor ssh.
I learned this now and I have no problem with SSH tunneling but this situation might become a problem for someone with an unknown colleague keeping the IP blocked. You are locked out from the logs as well...

A solution to the problem could be relaxing the rules for IPs from which a successful login has been logged during last n hours.