No connection from external ip from Iphone and Nethserver (SOGO)

Good day,
now have the server running for a few days. This morning the Iphone gets no connection to the server anymore from Extern. Can not retrieve emails. The establishment of the Exchangeaccount we also no longer accepted, as well as confirmed. Port 443 is open
What we blocked where?
In the wifi works !!

greetings
Gottfried

Have now solved the problem itself. The IP was from
Fail2ban blocked.

1 Like

Hello,

I encounter the same problem. But simply taking the IP from the iPhone into the whitelist of fail2ban does not solve the problem due to the fact, that the IP of cellphones change :wink: So a little bit too fast shouting “solution”. This is not working for me, when connecting with UMTS/LTE.

I have no problem from Android (AquaMail) or Linux (Evolution / Thunderbird).
Outlook is not working, too.

Another remark: SOGo is a webclient for the mailsystem on nethserver. It has nothing to do with connecting through iPhone (native iOS Mail App) - these are too different clients using the same mailserver.

Setup: Nethserver 7.8 / LDAP-provider.

Any clue?

Greets
Axel

@Axel_Pospischil

Hi Alex

A bit more information would help diagnose and maybe even solve your problem.

At the moment, your post resembles the User type post, where a user, whose Internet Browser (IE) hangs, and states “The Internet is not working”!

Does things work from inside the network (LAN)?

Do you access your network from outside using IP, fixed IP or DynDNS name (or something similiar)?

Does a telnet test (From inside AND outside) work?
eg: telnet meinserver.de 25, same thing using 143. (IMAP).
IMAPs (193 and SMTP-TLS 587 and SMTPs 465) won’t work with telnet because of encryption)
-> The server should awnser stating it’s name and protocoll…

I also use NethServer, at home and for about 25-30 clients, mostly SME companies.

Grüsse vom vom Bodensee, Kreuzlingen / Schweiz!
Andy

To all english speakers: The few german words are simply words of greeting, as we both live on the same river, the Rhein… :slight_smile:

Hey Andy,

thanks for the quick reply :slight_smile:

To the thread-starter: he tries to connect with an iPhone. So my guess is, he would like to use LTE or UMTS - which is, indeed the purpose of a smart phone or mobile device :slight_smile: So WLAN is not an option. And he does not write which IP was blocked from fail2ban: the WLAN-IP or the LTE IP … so I was a little bit lost with the information “solved”.

Yes, I can see - from my iPhone, WLAN disconnected - that all services on the server are running. Therefore im am using the iPhone App “Network Status”.

The problem is fail2ban. I can use my Android Tablet with WLAN (home or work) without problems getting mails from the server (AquaMail).

But using LTE directly at the iPhone or via Hotspot of the phone will result in a connection timeout getting mails and an immediate ban through fail2ban. I can see in the fail2ban-log the “TELEKOM” Entry (which is my phone provider).

The IP ###.###.###.### has just been banned by Fail2Ban after
5 attempts against postfix-ddos.
[…]
inetnum: ###.###.###.0 -###.###.###.255
netname: CUSTOMERS-DE
descr: Telekom Deutschland GmbH
[…]

Interesting: I am then also banned using iPhones Mail App with only WLAN (provider disconnected). Then my IP-address at home gets banned (you get this e.g. with fast.com):

The IP ###.###.###.### has just been banned by Fail2Ban after
5 attempts against postfix-ddos.
[…]
inetnum: ###.###.###.0 -###.###.###.255
netname: KABEL-DEUTSCHLAND-CUSTOMER-SERVICES
descr: Kabel Deutschland Breitband Customer
[…]
[…]

So I am shure this has something to do with iPhones Mail app: My settings are very common - like in all my E-Mail programs

  • domainname.net
  • user for SMTP
  • password for SMTP
  • tried all forms of authentification (plain pass, md5, …)
  • Port 587 (tried also 465, 25 is not open due to spam)

I have to unban my IP with

bin/reset_fail2ban_for_ip.sh $MY_IP

Here is the script I use for unbanning my IP (if anyone is interested):

cat bin/reset_fail2ban_for_ip.sh
#!/bin/bash

myIP="${1}"

[ “${1}” == “” ] && echo “Please add your IP-address for 0 to use \"fail2ban-client unban\" as parameter!" [ "{1}” == “” ] && exit 1

cd /etc/fail2ban/filter.d
ls | sed s/.conf//g | awk -v ip=$myIP ‘{system("fail2ban-client set " $0 " unbanip " ip “;”)}’
cd -

Weired.

Greetings to “Bodensee”
Axel

Hi

Try - at least on Apple iOS - using Port 25 with TLS for mail.

Most of my clients and I at home use this, works well.
Port 25 with Auth can be activated in the older Dashboard or in the newer Cockpit.

At the moment I can’t find the setting in Cockpit, here from the older Dashboard:

See under eMail, at the lower left menu:

Found it, under Relay…

I also have clients using DynDNS and mail, I use this at home too…

Andy

Hi Andy,

thanks. Unfortunately I don’t use a relay host.

This is a standard Vserver (KVM) with real domain and real email (smtp, imap). The firewall is configured correctly allowing email ports. POP is not enabled. I am just using IMAPS and SMTPS. I don’t want to expose services that are not necessary.

So changing anything under a relay host, that does not exist should not enable anything. I tested, and as expected the problem exists in the same way.

Also: smtp (port 25) is not smtps (465), and using port 25 is highly insecure. Or am I wrong? When I look within my fail2ban log I get a lot of spam concerning connections via ddos.

Could you specify, what exactly you settings are in iOS for SMTP and IMAP? Using SSL yes/no, auth method, server port please.

Thanks. I don’t give up on this yet :slight_smile: I think a lot of others encounter the same problem.

Greets
Axel

@Axel_Pospischil

The last screenshot may be titled “Relay”, but that is all empty, I’m not using a relay here. But the important setting is below, use Port 25 with Auth! (Aktiviere Authentifizierung an Port 25 - in German)…

Using Port 25 from a mail client is NOT the same as the traffic between two mail servers, which is not encrypted. Traffic between a client and NethServer with auth exposed on Port 25 (TLS) is the same and just as secure as using Port 587 with TLS (Submission). Port 465 (SMTPs) with SSL is already counted as passé, deprecated, old and nearly obsolete.

Any Mailserver with Port 25 open (must be for an Internet Mail server) will always get a lot of spam, it’s up to the servers software to sort this out. Internet Mail between servers is not encrypted, and highly spam attackable.

I would NOT suggest to use SMTPs (Port 465) anymore!

See here for a good explanation.

On my iPhone, I use as follows:

General / Incoming (IMAPs)

Outgoing (SMTP/TLS):

Note: Even though the DNS has an entry mail.domainname.com, I’m using the NethServers FQDN, also in DNS, here. (Also for Thunderbird).

The Ports are fully recognized here (automatically), this NethServer has 25 and 587 open for SMTP/TLS and 993 for IMAPs.

On the SMPT settings you can see that 587 not only uses TLS, but also SSL (465 is only SSL, less secure). Port 25, as I use on some other NethServers uses the same settings as 587 and is also automatically discovered.

On Thunderbird, i almost always use Port 25 for outgoing mail (SMTP/TLS).

Do not use Kerberos for Password!

My 2 cents
Andy