Mail servers like Zimbra has its own anti-spam addon to block malicious activity. Fail2ban provides additional protection to the mail server.
A good mail server always fight against spam!
Fail2ban can easily ban any IP that makes too many login attempts.
At Bobcares, we often receive requests to protect mail servers as part of our Server Management Services.
Today, let’s discuss how our Support Engineers set up fail2ban for Zimbra mail for our customers.
Zimbra Mail server with Fail2ban
Zimbra provides open source server and client software for messaging and collaboration.
To protect mails from continuous attacks we use fail2ban. Additionally, Fail2ban protects the server from brute-force attacks.
Fail2ban scans log files and ban IPs that show malicious signs.
Let us discuss how our Support Engineers setup Fail2ban for Zimbra Mail Server.
How to setup fail2ban for Zimbra mail server
Recently one of our customers contacted us to set up fail2ban for his Zimbra Mail Server. Let us discuss how we set up fail2ban for our customers.
First, we make sure that fail2ban and iptables are installed on the server. If not we install fail2ban and iptables.
We need to create a filter in fail2ban. The filter is used to identify authentication failures for that specific service.
By default, there are filters for the most commonly used service. The Zimbra is yet to feature in the list. So we manually add the filter at /etc/fail2ban/filter.d. Create a file and we add the below contents.
[Definition] failregex = [ip=<HOST>;] account - authentication failed for .* (no such account)$ [ip=<HOST>;] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$ ;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$ [oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$ WARN .*;ip=<HOST>;ua=ZimbraWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$ NOQUEUE: reject: RCPT from .*[<HOST>]: 550 5.1.1 .*: Recipient address rejected:
Save the file.
Now we need to add the jail content for Zimbra. We add the details in the jail.conf or jail.local based on the configuration. We edit the file
# This jail forces the backend to "polling". [ssh-iptables] enabled = false filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, firstname.lastname@example.org, email@example.com] logpath = /var/log/messages maxretry = 5 # jail for Zimbra [zimbra-account] enabled = true filter = zimbra action = iptables-allports[name=zimbra-account] sendmail[name=zimbra-account, firstname.lastname@example.org] logpath = /opt/zimbra/log/mailbox.log bantime = 600 maxretry = 5 [zimbra-audit] enabled = true filter = zimbra action = iptables-allports[name=zimbra-audit] sendmail[name=Zimbra-audit, email@example.com] logpath = /opt/zimbra/log/audit.log bantime = 600 maxretry = 5 [zimbra-recipient] enabled = true filter = zimbra action = iptables-allports[name=zimbra-recipient] sendmail[name=Zimbra-recipient, firstname.lastname@example.org] logpath = /var/log/zimbra.log bantime = 172800 maxretry = 5 # jail for postfix since postfix performs Zimbra mail transfer [postfix] enabled = true filter = postfix action = iptables-multiport[name=postfix, port=smtp, protocol=tcp] sendmail-buffered[name=Postfix, email@example.com] logpath = /var/log/zimbra.log bantime = 172800 maxretry = 5
Next, we change the configuration of Sendmail. We edit the file /etc/fail2ban/action.d/sendmail.conf and we change
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
Fail2Ban" | /opt/zimbra/postfix/sbin/sendmail -f <sender> <dest>
Finally, we restart the Fail2ban service.
service fail2ban restart
We use the command to find the details regarding the ban.
fail2ban-client status zimbra-audit
The output displays as
We also monitor it using the command.
[Need help on integrating Fail2ban on the Zimbra mail server? We can do it for you.]
In short, the Zimbra fail2ban combination works well in fighting again mail server attacks. We have also discussed how our Support Engineers set up fail2ban for the Zimbra Mail Server.