Hello,

I am getting the Fail2ban notifications via watchdog just fine, but I can’t tell what service is being attacked. The whois information is great, but how do I get information on which service is being used? I assume they are after postfix and I would like to block larger subnets from Russia and Chine for instance, but I would like to limit them to port 25 or 993 for instance.

Thank you!

The service isn’t mentioned in the mail, no. If I wanna know I usually just check the IP address in the logs on the admin interface. It’s usually 95% postfix and 5% mailcow UI.

But most of the time I don’t have a reason to check, because mailcow just does its thing. If I get a lot of reports of the same IP or subnet I blacklist it in the settings.

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

14 days later

Thanks Ares,

That’s still pretty cumbersome unfortunately. I’m somewhat familiar with fail2ban. What I’m looking for should be just the variables passed to the action line like:

sendmail-whois[name=sasl, dest=you@example.com]

I assume that’s just a GitHub request for Fail2ban configuration to be added to the <mailcow_root>/data/conf/ directory? Mucking around inside the docker container doesn’t sound like a good idea given the distribution.

Is there a way to move SOGo to it’s own IP or port? Looking through the logs I’m getting a LOT of mailcow UI attempts. I would love to lock that down some more at least. I see I can get to the Nginx config, but I would rather shut that all down on the firewall and eschew a proxy.

No one is typing