Autoban weirdness

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
palinka
Senior user
Senior user
Posts: 1542
Joined: 2017-09-12 17:57

Autoban weirdness

Post by palinka » 2019-11-12 16:17

Something strange happened last night. Its actually happened a couple of times before but this is the first time I investigated it.

I run a script every 5 minutes to check telnet with the logic that if there is no response, something must be wrong and therefore, restart hmailserver service. That script is here: https://www.hmailserver.com/forum/viewt ... 01#p215301

Early this morning, someone (unknown account) attempted to login through webmail (on localhost) and 127.0.0.1 got autobanned. Autoban priority is 20 and My Computer IP Range priority is 25. For some reason, despite the priority elevation, 127.0.0.1 was denied access, therefore, my script was denied access and that started a loop of restarting hmailserver service until the autoban expired 1 hour later. I also noticed my activesync mail clients failed login (connection is via WAN -> https:443 -> localhost on hmailserver), so its not an issue particular to my script - 127.0.0.1 was genuinely blocked during the autoban.

So the question is: why did My Computer IP Range not override the autoban? Running 5.7.0. Is this a bug?

If I'm just wrong and this is not a bug, is there a strategy to work around it?


Settings:

Code: Select all

2019-11-12   Hmailserver: 5.7.0-B2486

DOMAINS

   "Domain1.com" - 12x.dyxx.com                   Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain2.com" - djxxxxx.dyxx.com               Enabled: False

   "Domain3.com" - lixxx.dyxx.net                 Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\xampp\apache\conf\altcerts\dynu.net\mail._domainkey.Domain3.com.pem
                                                Selector:    mail

   "Domain4.com" - pixxxx.us                      Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing:  True
                   Max size of accounts:    0   Body:     Relaxed  Character:           +
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\xampp\apache\conf\altcerts\Domain4.com\mail.Domain4.com.pem
                                                Selector:    mail

   "Domain5.com" - q-xxx.com                      Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain6.com" - rgxxxxx.com                    Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing:  True
                   Max size of accounts:    0   Body:     Relaxed  Character:           +
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\xampp\apache\conf\altcerts\Domain6.com\mail.Domain6.com.pem
                                                Selector:    mail

   "Domain7.com" - spxx.dyxx.net                  Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain8.com" - wax.dyxx.net                   Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True      Catchall: sms@Domain8.com
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\xampp\apache\conf\altcerts\dynu.net\mail._domainkey.Domain8.com.pem
                                                Selector:    mail
-----------------------------------------------------------------------------------------------

IP RANGES

IP: 127.0.0.1 - 127.0.0.1     Priority: 25     Name: My computer

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    -  True
     External To External - False           


IP: 192.168.99.0 - 192.168.99.255     Priority: 15     Name: LAN

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True
     IMAP:   True                              SSL/TLS:     True

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    -  True
     External To External - False           


IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True
     IMAP:   True                              SSL/TLS:     True

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


------------------------------------------------------
AUTOBANNED Local Addresses:
    No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
  Autoban Enabled: True       Max invalid logon attempts:      3
                              Minutes Before Reset:            5  (0.08 hours, 0.00 days)
                              Minutes to Autoban:             60  (1.00 hours, 0.04 days)

There is a total of 6 auto-ban IP ranges.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
   No entries
-----------------------------------------------------------------------------------------------

MIRRORING         Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  0  No Retries:  4 Mins: 60   Plain Text:        False  Bind: 
                     Host: Domain8.com         Empty sender:       True  Batch recipients:   100
Max Msg Size: 40960  Relay:-                   Incorrect endings:  True  Use STARTTLS:      True
                      EXTERNAL.TLD  (ok)       Disc. on invalid:   True  Delivered-To hdr: False
                     Port: 587                 Max number commands:   3  Loop limit:           5
                     Req Auth: True *User Entered*                       Recipient hosts:     15
                     Con. Sec.: StartTLS Required
  Routes:
    Domain5.com              - S: Local   R: Local  - Addr: All         (ok)

POP3
  No. Connections: 0

IMAP
 GENERAL                   PUBLIC FOLDERS                    ADVANCED
  No. Connections:   0      Public folder name: #Public       IMAP sort:  True
                                                              IMAP Quota: True
                                                              IMAP Idle:  True
                                                              IMAP ACL:   True
                                                              Delim: "."
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL                              SPAM TESTS              Score   SPAMASSASSIN
  Spam Mark:                  3       Use SPF:            True - 3    Use Spamassassin:    True
  Add X-HmailServer-Spam:     True    Check HELO host:    True - 2    Hostname:       127.0.0.1
  Add X-HmailServer-Reason:   True    Check MX records:   True - 2    Port:                 783
  Add X-HmailServer-Subject:  True    Verify DKIM:       False        Use SA score:        True
              Subject Text: "[POSSIBLE SPAM]"
  Spam delete threshold: 8000         Maximum message size: 1024

DNSBL ENTRIES:
                  zen.spamhaus.org      Score: 3     Result: 127.0.0.2-8|127.0.0.10-11
                    bl.spamcop.net      Score: 3     Result: 127.0.0.2
                 torexit.dan.me.uk      Score: 6     Result: 127.0.0.100

SURBL ENTRIES:
                   multi.surbl.org      Score: 3
                  dbl.spamhaus.org      Score: 5

GREYLISTING:
  Greylisting:  False

WHITELISTING
              0.0.0.0            to    255.255.255.255              [*redacted*][@t]tmomail[dot]net
              0.0.0.0            to    255.255.255.255              +1[*redacted*][@t]tmomail[dot]net
              0.0.0.0            to    255.255.255.255              tims[@t]stripersonline[dot]com
-----------------------------------------------------------------------------------------------

ANTIVIRUS

GENERAL:
  When found - Delete Attachments.

  Max Message Size: 26214
     CLAM AV:   True       Hostname: localhost    Port: 3310
     CLAMWIN:   False
     CUSTOMAV:  False

  Block Attachments: True
               *.bat             Batch processing file
               *.cmd             Command file for Windows NT
               *.com             Command
               *.cpl             Windows Control Panel extension
               *.csh             CSH script
               *.exe             Executable file
               *.inf             Setup file
               *.lnk             Windows link file
               *.msi             Windows Installer file
               *.msp             Windows Installer patch
               *.pif             Program Information file
               *.reg             Registration key
               *.scf             Windows Explorer command
               *.scr             Windows Screen saver
-----------------------------------------------------------------------------------------------

SSL CERTIFICATES
   lews-combined
       Certificate: C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\Domain8.com-chain.pem
       Private key: C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\Domain8.com-key.pem
   Domain8.com
       Certificate: C:\xampp\certificates\Domain8.com-chain.pem
       Private key: C:\xampp\certificates\Domain8.com-key.pem
-----------------------------------------------------------------------------------------------

SSL/TLS
             TLS 1.0 :  False
             TLS 1.1 :  False
             TLS 1.2 :   True
             TLS 1.3 :   True                Verify Remote SSL/TLS Certs:   True
SslCipherList  :

HIGH                            - !TLSv1                          - !SSLv3;                         
-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -   StartTLS Optional   Cert: Domain8.com
               0.0.0.0         / 110   / POP3   -   StartTLS Optional   Cert: Domain8.com
               0.0.0.0         / 143   / IMAP   -   StartTLS Optional   Cert: Domain8.com
               0.0.0.0         / 465   / SMTP   -   SSL/TLS             Cert: Domain8.com
               0.0.0.0         / 587   / SMTP   -   StartTLS Optional   Cert: Domain8.com
               0.0.0.0         / 993   / IMAP   -   SSL/TLS             Cert: Domain8.com
               0.0.0.0         / 995   / POP3   -   SSL/TLS             Cert: Domain8.com
-----------------------------------------------------------------------------------------------

LOGGING      Logging Enabled: True

  Paths:-
    Current:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_2019-11-12.log
    Error:    C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2019-11-12.log
    Event:    C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log - Last Event: 2019/11/12
    Awstats:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
                        APPLICATION -    True
                        SMTP        -    True
                        POP3        -    True
                        IMAP        -      .
                        TCPIP       -    True
                        DEBUG       -    True
                        AWSTATS     -    True
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MySQL

IPv6 support is available in operating system.

Backup directory X:\HMS-BACKUP is writable.

Relative message paths are stored in the database for all messages.

There are 4 error logs in the log directory.
-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder:  C:\Program Files (x86)\hMailServer\
Database folder: 
Data folder:     X:\HMS-DATA\Data
Log folder:      C:\Program Files (x86)\hMailServer\Logs
Temp folder:     C:\Program Files (x86)\hMailServer\Temp
Event folder:    C:\Program Files (x86)\hMailServer\Events

[Database]
Type=              MYSQL
Username=          hmailserver
PasswordEncryption=1
Port=              3306
Server=            localhost
Internal=          0

[settings]
DisableAUTHList=25
RewriteEnvelopeFromWhenForwarding=1
-----------------------------------------------------------------------------------------------

Generated by HMSSettingsDiagnostics v1.98, Hmailserver Forum.

User avatar
RvdH
Senior user
Senior user
Posts: 843
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Autoban weirdness

Post by RvdH » 2019-11-12 21:41

Autoban priority is changed in 5.7.x

https://www.hmailserver.com/forum/viewt ... =7&t=34313
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

palinka
Senior user
Senior user
Posts: 1542
Joined: 2017-09-12 17:57

Re: Autoban weirdness

Post by palinka » 2019-11-12 23:18

RvdH wrote:
2019-11-12 21:41
Autoban priority is changed in 5.7.x

https://www.hmailserver.com/forum/viewt ... =7&t=34313
Screenshot_20191112-161547_Brave.jpg

My autoban entries are being reported as priority 20. Are they actually 100? Is this a bug or a setup problem?

User avatar
mattg
Moderator
Moderator
Posts: 20540
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Autoban weirdness

Post by mattg » 2019-11-12 23:50

RvdH wrote:
2019-11-12 21:41
Autoban priority is changed in 5.7.x

https://www.hmailserver.com/forum/viewt ... =7&t=34313
ONLY on the version used by that user
ie Dravion's version

hMailserver still sets them at 20
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
mattg
Moderator
Moderator
Posts: 20540
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Autoban weirdness

Post by mattg » 2019-11-12 23:51

palinka wrote:
2019-11-12 16:17
For some reason, despite the priority elevation, 127.0.0.1 was denied access, therefore, my script was denied access and that
Can you show logs of this happening please
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 1542
Joined: 2017-09-12 17:57

Re: Autoban weirdness

Post by palinka » 2019-11-13 00:01

mattg wrote:
2019-11-12 23:51
palinka wrote:
2019-11-12 16:17
For some reason, despite the priority elevation, 127.0.0.1 was denied access, therefore, my script was denied access and that
Can you show logs of this happening please
I will as soon as I get back to my computer, but they don't show anything other than "denied access due to ip range policy" or something to that effect.

Also, everything went back to normal exactly when the autoban expired (1 hour). Basically, hmailserver service was restarted every 5 minutes for that hour - as should be expected under those circumstances. But why were the priorities not respected?

User avatar
RvdH
Senior user
Senior user
Posts: 843
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Autoban weirdness

Post by RvdH » 2019-11-13 00:14

mattg wrote:
2019-11-12 23:50
RvdH wrote:
2019-11-12 21:41
Autoban priority is changed in 5.7.x

https://www.hmailserver.com/forum/viewt ... =7&t=34313
ONLY on the version used by that user
ie Dravion's version

hMailserver still sets them at 20
No, maybe your used scripts do, but hmailserver 5.7.x internally set them to 100 (eg: a faulty login via webmail or such, that block localhost being only 30 if default score is used)

Prove? Here you go: https://github.com/hmailserver/hmailser ... n.cpp#L120
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

palinka
Senior user
Senior user
Posts: 1542
Joined: 2017-09-12 17:57

Re: Autoban weirdness

Post by palinka » 2019-11-13 00:47

RvdH wrote:
2019-11-13 00:14
mattg wrote:
2019-11-12 23:50
RvdH wrote:
2019-11-12 21:41
Autoban priority is changed in 5.7.x

https://www.hmailserver.com/forum/viewt ... =7&t=34313
ONLY on the version used by that user
ie Dravion's version

hMailserver still sets them at 20
No, maybe your used scripts do, but hmailserver 5.7.x internally set them to 100 (eg: a faulty login via webmail or such, that block localhost being only 30 if default score is used)

Prove? Here you go: https://github.com/hmailserver/hmailser ... n.cpp#L120
In my hmailserver admin interface and also the webadmin, autobans are showing as priority 20.

My autobans are mostly called by script and they are all currently showing priority 20. The one that triggered the restart loop was a bad logon. Unfortunately I didn't get a chance to see it because it was the middle of the night and expired before I got up.

I just intentionally attempted logon with a bad password and indeed, the autoban was priority 100. Also, I looked at the autoban script I use (Soren's) and it does make the priority 20, so that accounts for what I'm seeing in the IP ranges.

I guess that's the answer. Problem solved.

edit - changed My Computer and LAN IP ranges to 125, tested bad logon again and everything is working fine again. Autoban called for bad logon and I can still connect to localhost. Life is good again. :mrgreen:
Last edited by palinka on 2019-11-13 00:52, edited 1 time in total.

User avatar
RvdH
Senior user
Senior user
Posts: 843
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Autoban weirdness

Post by RvdH » 2019-11-13 00:50

palinka wrote:
2019-11-13 00:47
I guess that's the answer. Problem solved.
I know :)

But i am still a bit curious why martin changed that value in 5.7.x, i really can't see a reason for that and as it shows it breaks running instances...so it is a silly change in my opinion
Last edited by RvdH on 2019-11-13 00:55, edited 1 time in total.
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

palinka
Senior user
Senior user
Posts: 1542
Joined: 2017-09-12 17:57

Re: Autoban weirdness

Post by palinka » 2019-11-13 00:53

RvdH wrote:
2019-11-13 00:50
palinka wrote:
2019-11-13 00:47
I guess that's the answer. Problem solved.
I know :)
Some of us are a little slower... :lol:

User avatar
jimimaseye
Moderator
Moderator
Posts: 8300
Joined: 2011-09-08 17:48

Re: Autoban weirdness

Post by jimimaseye » 2019-11-13 01:59

RvdH wrote:
2019-11-13 00:14
No, maybe your used scripts do, but hmailserver 5.7.x internally set them to 100 (eg: a
Prove? Here you go: https://github.com/hmailserver/hmailser ... n.cpp#L120
Thats bloomin' rubbish. Why has he done that? That breaks rules on continual software development as it potentially makes upgrading problematic - people will have to review and modify their configuration with ip ranges to ensure webmail ranges are now over 100 instead of 20. I wonder if he knows he has done it and left out there (perhaps it was a temporary thing 5 years ago when the development was just for his own use).

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 20540
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Autoban weirdness

Post by mattg » 2019-11-13 08:18

Has he also changed the default internet and Localhost rages Priority
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
RvdH
Senior user
Senior user
Posts: 843
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Autoban weirdness

Post by RvdH » 2019-11-13 09:57

mattg wrote:
2019-11-13 08:18
Has he also changed the default internet and Localhost rages Priority
Only the 'My computer' range is higher, eg: 30 instead of the 15 it was before.... 'Internet' range is still 10
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
jimimaseye
Moderator
Moderator
Posts: 8300
Joined: 2011-09-08 17:48

Re: Autoban weirdness

Post by jimimaseye » 2019-11-13 10:05

RvdH wrote:
2019-11-13 09:57
mattg wrote:
2019-11-13 08:18
Has he also changed the default internet and Localhost rages Priority
Only the 'My computer' range is higher, eg: 30 instead of the 15 it was before.... 'Internet' range is still 10
It seems like he has just stuck his finger in the air and chosen numbers depending on the direction of the wind. It doesn't make sense.

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 843
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Autoban weirdness

Post by RvdH » 2019-11-13 11:03

The change of the 'My computer' range i kinda could understand, as a default install with previous value (15) would lockout localhost when auto-ban (20) is enabled...but once he also changed the auto-ban priority in 5.7.x the change to the 'My computer' range is redundant again

I have also posted this on github, https://github.com/hmailserver/hmailserver/issues/306
Maybe martin can explain
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

palinka
Senior user
Senior user
Posts: 1542
Joined: 2017-09-12 17:57

Re: Autoban weirdness

Post by palinka » 2019-11-13 13:37

RvdH wrote:
2019-11-13 09:57
mattg wrote:
2019-11-13 08:18
Has he also changed the default internet and Localhost rages Priority
Only the 'My computer' range is higher, eg: 30 instead of the 15 it was before.... 'Internet' range is still 10
Nothing changed for me - meaning I upgraded and my old settings remained the same, but the new autoban = 100 was unknown to me until I investigated it yesterday.

User avatar
RvdH
Senior user
Senior user
Posts: 843
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Autoban weirdness

Post by RvdH » 2019-11-13 13:52

palinka wrote:
2019-11-13 13:37
RvdH wrote:
2019-11-13 09:57
mattg wrote:
2019-11-13 08:18
Has he also changed the default internet and Localhost rages Priority
Only the 'My computer' range is higher, eg: 30 instead of the 15 it was before.... 'Internet' range is still 10
Nothing changed for me - meaning I upgraded and my old settings remained the same, but the new autoban = 100 was unknown to me until I investigated it yesterday.
That only would be the case in a new/fresh database on 5.7.x indeed, if you upgraded and retained your previous settings it remains te same
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

Post Reply