LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Fail2ban sendmail-whois sends to old receiver address (https://www.linuxquestions.org/questions/linux-security-4/fail2ban-sendmail-whois-sends-to-old-receiver-address-4175576716/)

ilesterg 04-05-2016 05:42 AM
Fail2ban sendmail-whois sends to old receiver address
 
Hi!

I had a pretty stable fail2ban installation protecting my httpd, sshd, postfix, and dovecot services. Until one day I registered a new domain name and then deleted the email notification recipient user (let's call it applejuice) via userdel, and also the home directory (/home/applejuice). After creating my new user (let's call it apple), I then updated the sendmail-whois recipient in the config file /etc/postfix/main.cf from applejuice to apple for all of the configured jails.

However, when banning IPs, I noticed that the jail tries to send emails to applejuice instead of apple in /var/log/maillog. Note that I did not specify any domain name in the sendmail-whois action. Also, I made sure applejuice cannot be found in any config file in /etc/:
Code:
find /etc/ -type f -exec grep applejuice {} \;
Any idea how I can find out why fail2ban tries to send to the old configured email?

Thanks.

ilesterg 04-05-2016 12:55 PM
Here's demo of my problem.

So this guy appeared on my log file.

Code:
Apr  5 13:18:25 myserver postfix/smtpd[17662]: connect from erp.acunetix.com[217.115.140.112]
Apr  5 13:18:26 myserver postfix/smtpd[17662]: NOQUEUE: reject: RCPT from erp.acunetix.com[217.115.140.112]: 454 4.7.1 <webadmin@myolddomainname.com>: Relay access denied; from=<cnw@acunetix.com> to=<webadmin@myolddomainname.com> proto=ESMTP helo=<erp.acunetix.com>
Apr  5 13:18:26 myserver postfix/smtpd[17662]: disconnect from erp.acunetix.com[217.115.140.112]
Ban 217.115.140.112.

Code:
[root@myserver log]# fail2ban-client set postfix banip 217.115.140.112
217.115.140.112
[root@myserver log]# grep 217.115.140.112 fail2ban.log
2016-04-05 17:48:05,305 fail2ban.actions        [1332]: NOTICE  [postfix] Ban 217.115.140.112
Check postfix/dovecot log file.

Code:
[root@myserver log]# tail maillog
...
Apr  5 17:48:05 myserver postfix/pickup[18176]: E6E09103C0E8: uid=0 from=<root>
Apr  5 17:48:05 myserver postfix/cleanup[18252]: E6E09103C0E8: message-id=<20160405174805.E6E09103C0E8@myserver.net>
Apr  5 17:48:05 myserver postfix/qmgr[11823]: E6E09103C0E8: from=<root@myserver.net>, size=2508, nrcpt=1 (queue active)
Apr  5 17:48:05 myserver postfix/local[18254]: E6E09103C0E8: to=<applejuice@myserver.net>, orig_to=<applejuice>, relay=local, delay=0.51, delays=0.51/0/0/0, dsn=5.1.1, status=bounced (unknown user: "applejuice")
Apr  5 17:48:05 myserver postfix/cleanup[18252]: E85E1103C0F4: message-id=<20160405174805.E85E1103C0F4@myserver.net>
Apr  5 17:48:05 myserver postfix/bounce[18255]: E6E09103C0E8: sender non-delivery notification: E85E1103C0F4
Apr  5 17:48:05 myserver postfix/qmgr[11823]: E6E09103C0E8: removed
Apr  5 17:48:05 myserver postfix/qmgr[11823]: E85E1103C0F4: from=<>, size=4310, nrcpt=1 (queue active)
Apr  5 17:48:05 myserver postfix/local[18254]: E85E1103C0F4: to=<root@myserver.net>, relay=local, delay=0, delays=0/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Apr  5 17:48:05 myserver postfix/qmgr[11823]: E85E1103C0F4: removed
I am pretty sure I don't have any existing applejuice recipient in my config files.

Code:
[root@myserver log]# find /etc/fail2ban -type f -exec grep applejuice {} \;
[root@myserver log]#
Here is my simple jail:
Code:
[postfix]
enabled  = true
port    = smtp,465,submission
#logpath  = %(postfix_log)s
filter  = postfix-sasl
logpath  = /var/log/maillog
maxretry  = 4
action = iptables-multiport[name=postfix, port="smtp", protocol=tcp]
                sendmail-whois[name=postfix, dest=apple, sender=root]
Suggestions how to debug this please. Thanks!

ilesterg 04-15-2016 03:03 AM
Marking as solved.

Habitual 04-15-2016 08:57 AM
What was the "fix"?

ilesterg 04-15-2016 09:16 AM
Code:
systemctl reload postfix
I don't know why restart doesn't work - I assumed restarting will reload configurations as well.

Habitual 04-15-2016 09:34 AM
systemd? :rolleyes:


All times are GMT -5. The time now is 05:13 PM.