My vps with mailcow ban my personal ip

Steve_FR

I use mailcow on my vps with traefik and crowdsec.
This morning I loose all access to all my services on the vps.
But not the ssh !
At first, I thought it was CrowdSec that had banned my IP, despite the fact that I remembered I had done what was necessary.
After some research, I ran:
nft --handle --numeric list table filter
The surprise was that my personal IP was in the MAILCOW chain, so I ran:
nft delete rule filter MAILCOW handle 422
422 being the handle number that I had to remove.
After that, everything went back to normal.

Looking at the netfilter logs in mailcow, I saw that my IP was banned via rule number 7, and this for several of my personal mailboxes.

I use Thunderbird and Nextcloud as clients

ETNyx

As in Feedback category, i expect you are expecting some feedback? So what is your question?

Rule No. 7. assume stock? wrong password? so do not send wrong password to server,…

If you are sure your IP is solid, add it to whitelist to never trigger netfilter ban action. (You are sole user of this IP? no NAT over street or something? you are not hacked?)

zx1100e1

ETNyx

Adding to the whitelist won’t fix the problem. On that same config page is a statement

A denylisted host or network will always outweigh a allowlist entity. List updates will take a few seconds to be applied.

So anything on the blocklist supercedes the whitelist.

I ran into this earlier this year when i locked myself out of my vps as well. The fix was simple - add an invert regex rule to ignore your ip.

For example

mailcow UI: Invalid password for .+ by ((?!123\.123\.123\.123)([0-9a-f\.:]+))

for rule 1.

Steve_FR

Hi ETNyx,
i put my personnal ip in the whitelist of netfilter now.

it’s just a feddback of my usage. If, however, this happens to someone else.
No question here.

I’m the only user.
yes stock rule 7
All my different mailbow (5 mailbox) were logged at rules 7 One by one in netfilter log between
28/04/2026 09:34:03
and
28/04/2026 09:34:08
Ban time is 30 minutes.
my thunderbird version is 150.0 (64 bits) (windows desktop version)
My thunderbird mobiel version is 18 (android)
Mailcow 2026-03b

I just see this morning that I loose my services.

DocFraggle

Steve_FR Yes, fail2ban blocks your IP after sending the wrong authentication credentials 3 times in 5 minutes. That’s intended and not new.

I don’t get what you want to tell us either 😃

CK_beats

He wanted to tell us that he locked himself out of his own system and let himself back in.

In my opinion it should be a guide.

ETNyx

zx1100e1

Hmm think you are wrong,… I see it as there are 3 lists,

1) Ban list - filled by those regexp rules, in admin you see them under those regexp (or No active bans)
2) Allow list - filled by admin, in admin as texarea
3) Denny list - filled by admin, in admin as texarea

Numbering is weight, bigger the weight, more importance. So adding IP to Allow list is valid solution to original question. Due to ban on weight 1. And is not inconsistent whit docs due to hinting relation between 2 a 3.

Sure i can be wrong but if this is not right than Allow list should not work and it is pointless

zx1100e1

^^ I tried adding my ip to the white list and retesting by logging in with bogus creds, it still locked me out. I see no mention in the docs about weight based on position. Do you have a reference?

Good point on the allow list being pointless.

ETNyx

No reference it is my reasoning and my experience. Got one user failing login so much that I added him to Allow list, since then, zero call from him due to not able to be log in.

AI say after feeding it netfilter script mailcow/mailcow-dockerizedblob/master/data/Dockerfiles/netfilter/main.py

ETNyx’s “weights” framing isn’t quite how the code is structured (it’s not numerical priorities, it’s just two different functions with different checks), but the practical conclusion — allowlist fixes the regex auto-ban problem — is right.

zx1100e1 is correct that the docs’ “denylist outweighs allowlist” wording is accurate — but only for the manual denylist textarea.

TL;DR: If your IP is being auto-banned by a regex rule, the allowlist works. If your IP is somehow on the manual denylist textarea, the allowlist will not save you and you’d need to remove it from the denylist

zx1100e1

Interesting.

The vps instance was added back in January 2026. Last update to https://github.com/mailcow/mailcow-dockerized/commits/master/data/Dockerfiles/netfilter/main.py was 20251009.

I don’t see how I could have gotten back into the gui without unbanning myself first from the cli, before whitelisting. I will retest this evening by removing the regex exclusion from the numbered list and adding my ip in the whitelist section.

Ok, retested it, and sure enough it works as @ETNyx describes above.

Now I’m not sure why I was getting locked out before.