-
DMS/Roundcube/Caddy - fail2ban blocks docker gatewayComplex "puzzle", I suspect that needs configuration at DMS and Roundcube containers. Caddy container appears to be doing his part: delivering X-Real-IP and X-Forwarded-For to Roundcube. Problem occurs when someone tries to login on Roundcube... Three failed attempts and fail2ban on Docker Mailserver blocks docker gateway, 172.18.0.1; then, nobody can login on Roundcube until ban expires. Would like to pin/understand right configuration and not circunvent/disable fail2ban. After two days of intense research, I suspect that solution may envolve:
Tried so many things that I got lost at the problem...
Caddyfile block relative to Roundcube:
Any ideas/suggestions are welcome. One year ago I tried to solve this problem but despite some help/ideas I could not discover how to do it. Instead of "ressurrect" that old discussion I thought it would be better start a new topic.
|
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 10 replies
-
- ROUNDCUBEMAIL_DEFAULT_HOST=tls://mail.mydomain.net
- ROUNDCUBEMAIL_SMTP_SERVER=tls://mail.mydomain.net Your RoundCube is connecting to DMS via the server ingress, so not going through Caddy for the mail login connection (and I don't think Caddy can proxy that, unless using a proxy plugin that I don't recall the status of). This results in the Gateway IP if IPv6 is used to connect to the server and your container is IPv4 only. Even for IPv4 however, the connection is coming from RoundCube at this point, so I doubt it'd make a difference? You can connect to the DMS container directly from the RoundCube one, but I don't think that helps with the IP concern? You probably need Fail2Ban to ignore login failures from the RoundCube IP and if you want to still ban on RoundCube failures, then have Fail2Ban configured to monitor RoundCube logs for that and get the correct IP to ban? |
Beta Was this translation helpful? Give feedback.
-
Use case: Firefox on Android phone tries to login on Roundcube using existing user with wrong password.Pay attention that Roundcube received (and knows) X-Real-IP and X-Forwarded-For. So, some configuration must be done at Roundcube and DMS to use that information, X-Real-IP and/or X-Forwarded-For. At Roundcube config level, maybe one or more of this parameters must be adjusted:
Complete config file at https://github.com/roundcube/roundcubemail/blob/master/config/defaults.inc.php At DMS config level, for sure something on Dovecot, like: https://doc.dovecot.org/configuration_manual/forwarding_parameters/ and https://doc.dovecot.org/settings/core/#core_setting-login_trusted_networks Below, pertinent parts of Caddy, DMS and Roundcube logs. Caddy
DMS
Roundcube
|
Beta Was this translation helpful? Give feedback.
-
Making progress with https://packagist.org/packages/takerukoushirou/roundcube-dovecot_client_ip and some other adjustments! 😄 Still needs to pinpoint exact needed changes but it can be done. 🤓 |
Beta Was this translation helpful? Give feedback.
-
FWIW, this discussion might be a helpful reference. It's focused on PROXY protocol support and with Traefik, but I did add a Caddy example in there. I haven't given Roundcube a look, but I have read it supports PROXY protocol at least for STARTTLS, while you'd otherwise need the plugin approach for implicit TLS I think. |
Beta Was this translation helpful? Give feedback.
Finally I made it work only to discover a logical flaw in my idea...