Mail servers like Zimbra has its own anti-spam addon to block malicious activity. Fail2ban provides additional protection to the mail server.
A good mail server always fight against spam!
Fail2ban can easily ban any IP that makes too many login attempts.
At Bobcares, we often receive requests to protect mail servers as part of our Server Management Services.
Today, let’s discuss how our Support Engineers set up fail2ban for Zimbra mail for our customers.
Zimbra Mail server with Fail2ban
Zimbra provides open source server and client software for messaging and collaboration.
To protect mails from continuous attacks we use fail2ban. Additionally, Fail2ban protects the server from brute-force attacks.
Fail2ban scans log files and ban IPs that show malicious signs.
Let us discuss how our Support Engineers setup Fail2ban for Zimbra Mail Server.
How to setup fail2ban for Zimbra mail server
Recently one of our customers contacted us to set up fail2ban for his Zimbra Mail Server. Let us discuss how we set up fail2ban for our customers.
First, we make sure that fail2ban and iptables are installed on the server. If not we install fail2ban and iptables.
We need to create a filter in fail2ban. The filter is used to identify authentication failures for that specific service.
By default, there are filters for the most commonly used service. The Zimbra is yet to feature in the list. So we manually add the filter at /etc/fail2ban/filter.d. Create a file and we add the below contents.
vi /etc/fail2ban/filter.d/zimbra.conf[Definition]
failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
\[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:Save the file.
Now we need to add the jail content for Zimbra. We add the details in the jail.conf or jail.local based on the configuration. We edit the file
vi /etc/fail2ban/jail.local# This jail forces the backend to "polling".
[ssh-iptables]
enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=mail@domian.com, sender=mail@domain.com]
logpath = /var/log/messages
maxretry = 5
# jail for Zimbra
[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
sendmail[name=zimbra-account, dest=mail@domain.com]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5
[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
sendmail[name=Zimbra-audit, dest=mail@domain.com]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5
[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-recipient]
sendmail[name=Zimbra-recipient, dest=mail@domain.com]
logpath = /var/log/zimbra.log
bantime = 172800
maxretry = 5
# jail for postfix since postfix performs Zimbra mail transfer
[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, dest=mail@domain.com]
logpath = /var/log/zimbra.log
bantime = 172800
maxretry = 5Next, we change the configuration of Sendmail. We edit the file /etc/fail2ban/action.d/sendmail.conf and we change
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>to
Fail2Ban" | /opt/zimbra/postfix/sbin/sendmail -f <sender> <dest>Finally, we restart the Fail2ban service.
service fail2ban restart We use the command to find the details regarding the ban.
fail2ban-client status zimbra-audit The output displays as
We also monitor it using the command.
[Need help on integrating Fail2ban on the Zimbra mail server? We can do it for you.]
Conclusion
In short, the Zimbra fail2ban combination works well in fighting again mail server attacks. We have also discussed how our Support Engineers set up fail2ban for the Zimbra Mail Server.
In my zimbra version 8.8.15 the sendmail command is located here:
./opt/zimbra/common/sbin/sendmail