Iptables not restoring properly after a reboot

Ubuntu 20.04, VM 7.3-1
Someone is relaying spam via postfix so I looked at the firewall etc.
systemctl status firewalld
gives this: ERROR: ‘/usr/sbin/iptables-restore -w -n’ failed: iptables-restore v1.8.4 (legacy): invalid port/service `imap3’ specified Error occurred at line: 2
Am I wrong but does Dovecot use IMAPS not IMAP3 or are they the same? I saw another post with the same error that edited some IMAP3 entries to IMAP2 which fixed it for him.
I cannot find where that is specified unless it is in Fail2ban jail.conf which looks similar

Confused. Any help appreciated.

The firewall has nothing to do with relaying spam. You can’t block your Postfix ports without blocking them for your regular users.

Also, firewalld is the default firewall on Virtualmin systems, not iptables (iptables may be the backend, but you should not be using iptables-restore or iptables-save, if you’re using firewalld).

I have only two valid users sending mail (I am one) plus a contact form and both users are on static IPs. So, my thoughts were to restrict access to those 3 IPs while I secure it all.
As I understand it, FirewallD is a wrapper for IPTABLES.

This is a plain vanilla Virtualmin install on a new Ubuntu system. It is Virtualmin’s default FirewallD configuration performing that iptables-restore at system boot, It is nothing at all that I implemented and is reported by FirewallD’s own status query.

So, has anyone any ideas how to solve the reported error?

Hmm…I didn’t think Firewalld uses iptables-restore. I’m not sure what the make of that.

But, imap3 is obviously not a valid service name, and I seem to recall a similar bug in our configuration tool several years ago (but can’t find it in github…it ought to appear in a commit, even if it doesn’t currently exist), so I’m not sure about that.

But, the short answer is get rid of that bogus config. Something like this:

firewall-cmd --zone=public  --permanent --remove-service=imap3