Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Is this a network issue? I need your help...
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Is this a network issue? I need your help...

Not sure if this is a network issue, your ideas are welcome...

Running a mailserver on a Hetzner dedi, Dovecot is listening on port 993 and 143.

For the majority of users, it works flawlessly, they can connect to their email account. A TCP traceroute looks something like this:

working

Other users, sitting on a different network, cannot connect ("Server not found or not answering"). A TCP traceroute looks something like this:

not-working

Please notice the !P on the last hop: Protocol unreachable.

  • No firewall settings on port 993
  • Dovecot has not settings to prevent any connection.
  • There is at least 1 user who had the problem at one point, and it was working 2 days later (without any changes on my side).

Any idea?.

Comments

  • tentortentor Member, Host Rep
    edited August 2023

    Looks like a firewall issue. Are you sure there is no rule that rejects packet? It may be not specific for a 993/tcp port

    Please check the output of sudo iptables-save | grep REJECT or sudo nft list ruleset | grep \ reject

  • You are right. There were a lot of REJECTS in the firewall for port 22 and some for port 993, all coming from fail2ban. I cleaned it up and hope it will work now. Thank your!

  • tentortentor Member, Host Rep

    @dynweb said:
    There were a lot of REJECTS [...], all coming from fail2ban. I cleaned it up and hope it will work now.

    It is a temporary fix - please configure your fail2ban properly, it seems like it is accidentally banning valid clients.

    Thanked by 1Maounique
  • MaouniqueMaounique Host Rep, Veteran

    @tentor said:

    @dynweb said:
    There were a lot of REJECTS [...], all coming from fail2ban. I cleaned it up and hope it will work now.

    It is a temporary fix - please configure your fail2ban properly, it seems like it is accidentally banning valid clients.

    I concur, fail2ban is an useful tool but can misbehave badly if not configured properly.
    I suggest you use only keys, change SSH port and remove fail2ban altogether, just configure the apps to give a cooldown of a minute or more after 3 failed login attempts, that would disable bruteforce and solve the problem with false positives.

  • It is a temporary fix - please configure your fail2ban properly, it seems like it is accidentally banning valid clients.

    I concur, fail2ban is an useful tool but can misbehave badly if not configured properly.

    I get your point. This time, however, I suspect the blocked users to be the "culprits", having insisted to log in with wrong usernames/passwords quite too often.

    I appreciate your opinions :)

Sign In or Register to comment.