I somehow broke PostFix by having a wrong password and it blocking my router’s IP. Any help or solution would be appreciated.
| SYSTEM INFORMATION | |
|---|---|
| Webmin version | 2.021 |
| — | — |
| Virtualmin version | 7.7 |
ip might be in fail2ban list
I guess that’s it but I can’t get it unbanned.
2023-07-04 07:36:15,634 fail2ban.filter [908]: INFO [postfix] Found 192.168.0.1 - 2023-07-04 07:36:15
I tested email delivery from my spam filter and received: 451 4.3.5 : Sender address rejected: Server configuration error Does that help at all? Clients can login with IMAP in a mail app and see email and can login to webmail www.xyz.com:20000 and send email. The server will not allow mail apps to send nor will it receive incoming email. I’m at a loss.
That unfortunately didn’t fix anything… I did a complete webmin.tar FileSystem Backup about 24 hours before it crashed on me. I’m trying to restore that but it’s taking forever. I’ll be 3 days in to the 7day ticker before my spam filter company stops trying to send me the email it’s storing. I may wind up setting up a receive server separate so I can at least receive them till I can straighten this mess out. 
A quick google
fail2ban-client set postfix unbanip 192.168.0.1
I think something else is going on. I can telnet into my server and it responds with connected and the correct domain. I’d think if it were a fail2ban issue I wouldn’t be able to connect. My thought process correct?
Am I missing something here? Not sure why that would cause the incoming mail from outside to be down.
Fail2ban blocks services like postfix, that block does not also effect ssh. Didn’t you post a fail2ban block on postfix. Its blocks on the service that has had the failed authentications.
Yes no matter what I’ve done I can’t get it to unban. I’ve even tried turning fail2ban off and it still won’t work. I did get incoming mail up. Now I just need to figure this out and be able to send email again. I’m thinking once I get it fixed I’ll be setting up a backup server on a different platform. Looking at Proxmox Mail Gateway and maybe mail in a box but don’t like the dns has to be box.XYZ.com. The router IP just showed in the UI and if you hover over it it says unban. Did that and restarted the service
sudo fail2ban-client status postfix
Status for the jail: postfix
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| - File list: /var/log/mail.log - Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
and still no love.
So the first post is fixed? Fail2ban is not the issue, unless you still see that errors.
Turning off fail2ban won’t do much if the rule is there I think. Turn off the firewall for a few minutes see if it a firewall issue.
use this tool and see if there is a connection use Test Email Server
Also view the mail logs on the server (client errors show little) for errors.
Here is where I am. Someone from say Gmail emails me and I can receive that email (that was broken till about an hour ago). If I try to respond to that email from an email app or my phone I cannot. But if I log into webmail.mydomain.com I can send a reply. I had in main.cf for postfix
check_sender_access hash:/etc/postfix/sender_access
and
check_policy_service unix:postgrey/socket permit
I commented both out and now I am able to receive the mentioned gmail. I have no idea why all of this broke on me on Monday. I have gone through and tried commenting out everything except permit in both smtp_sender and smtp_relay restrictions and still have no luck. This has all been flawlessly working for years now with no input or changes by me. 
Sounds like you been playing around do extra stuff that not default setup.
I do not have these config lines.
You never posted your OS, what are you using?
The postgrey I have
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_policy_service unix:/var/spool/postfix/postgrey/socket
Ubuntu and yeah I was getting corn holed by spammers so I had to add a bunch of this extra stuff that seemed to stop all that. This is my main.cf minus the relay server info that I use for outgoing.
See /usr/share/postfix/main.cf.dist for a commented, more complete version
Debian specific: Specifying a file name will cause the first
line of that file to be used as the name. The Debian default
is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
appending .domain is the MUA’s job.
append_dot_mydomain = no
Uncomment the next line to generate “delayed mail” warnings
#delay_warning_time = 4h
readme_directory = no
See Postfix Backwards-Compatibility Safety Net – default to 2 on
fresh installs.
compatibility_level = 2
/etc/postfix/main.cf
Sender restrictions:
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit
/etc/postfix/main.cf
HELO restrictions:
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
# /etc/postfix/main.cf
Recipient restrictions:
smtpd_recipient_restrictions =
reject_unauth_pipelining
reject_non_fqdn_recipient
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
reject_rbl_client
zen.spamhaus.org
reject_rbl_client
bl.spamcop.net
check_policy_service unix:postgrey/socket permit
permit
TLS parameters
smtpd_tls_security_level = may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
permit
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = localhost
mydestination = localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_protocols = all
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
reject_unauth_pipelining
reject_non_fqdn_recipient
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
check_sender_access hash:/etc/postfix/sender_access
reject_rbl_client
zen.spamhaus.org
reject_rbl_client
bl.spamcop.net
check_policy_service unix:postgrey/socket permit
allow_percent_hack = no
tls_server_sni_maps = hash:/etc/postfix/sni_map
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
mynetworks_style = subnet
ok, no idea. Its getting too for me complicated now.
Log file error might help but once someone goes and started playing around with files is normally where issues start.
I used ConfigServer Security and Firewall (csf) – ConfigServer Services
these guys know what they doing, and it s free script.
Ok I’ll check it out. I am getting email it seems. For now at least I’m not missing anything. I can always call someone or use gmail or something to respond till I get it figured out.
Make sure you do a virtualmin daily backup of all domains. At least if it to bad you can do a clean install and restore the backup.
Hello,
As far as I can tell, this is not gonna be fail2ban issue, as you can clearly connect to the server - fail2ban will cause that u wont be even allowed to connect (Connection will time out).
What I could find around the web, error code 451 4.3.5 should mean something is wrong with restriction files, where you specify which clients to block.
try to look into postfix folder and try to find any missing hashed postmap files - I would focus on sender_access file.
I have found that users have the same issue even when they misswrite the name of the restriction file into the postfix config file (for example when admin creates file with name sender_access but into configuration file misstype it as senderaccess)
Also, try to look into sender_access and check if you are not blocking yourself.
Lastly, I would try to restart postfix, or maybe whole server, but I dont think this helps at all.
EDIT: Actually, restarting your server isnt that bad idea as there are other services which postfix depends on - if they have failed, restart may help you
When trying to send an email from a mail app I’m getting “relay access denied” when I cat /var/log/mail.log.