Category Archives: Howto Tutorials (EN)

Knowledge Network for Tutorials, Howto’s, Workaround, DevOps Code for Professionals.

Protect Kopano by Fail2ban

Hardening Kopano against attacks with Fail2ban

This howto describes how to install and configure Fail2ban for Kopano Groupware on Ubuntu. Fail2ban provides effective protection against brute-force attacks by filtering out failed attempts of authentication from Syslog and Apache protocol in order to block the host for a certain period of time using a kernel firewall.

Install Fail2ban on Kopano Server

The Fail2ban package will be installed on Ubuntu as root as follows. Fail2ban is developed on Python, which is why the required libraries are reloaded.

$ apt-get update
$ apt-get install fail2ban -y

After installation, Fail2ban runs and is enabled in systemd for autostart.

$ systemctl start fail2ban
$ systemctl enable fail2ban

Create Fail2ban Filter for Kopano

Build Fail2ban filter for Kopano, we create the file kopano-webapp-auth.conf

$ vi /etc/fail2ban/filter.d/kopano-webapp-auth.conf

Insert the content into the filter file with the following lines:

# Fail2Ban kopano-webbapp-auth filter
# /etc/fail2ban/filter.d/kopano-webapp-auth.conf

before = apache-common.conf

failregex = ^%(_apache_error_client)s Kopano WebApp user:.* authentication failure at MAPI

ignoreregex =

Enable the Kopano Filter

Activate the Fail2ban filter for Kopano by creating the configuration file jail.local.

$ vi /etc/fail2ban/jail.local

And insert the following content:

port = ssh
logpath = %(sshd_log)s

enabled = true
port = https
filter = kopano-webapp-auth
logpath = %(apache_error_log)s

enabled = true
port = http,https
logpath = %(apache_error_log)s

Here error.log is read out with the variable %(apache_error_log), /var/log/apache2/error.log

Start Fail2ban with Kopano Filter

Restart Fail2ban to enable the changes.

$ systemctl restart fail2ban

Check Fail2ban Client Status

The status of Fail2ban can be checked as follows.

$ fail2ban-client status
|- Number of jail: 3
'- Jail list: apache-auth, kopano-webapp, sshd
root@kopano:~# fail2ban-client status kopano-webapp
Status for the jail: kopano-webapp
| Filters
|  |- Currently failed: 0
|  |- Total failed: 7
|  '- File list: /var/log/apache2/mattermost-error.log /var/log/apache2/error.log
'- Actions
   |- Currently banned: 4
   |- Total banned: 52
   '- Banned IP list:

The firewall provides information about the status of the hosts currently blocked by Fail2ban, with an iptables query:

$ iptables -vnL | egrep "f2b-kopano-webapp|apache-auth|sshd"

Fail2ban intrusion prevention software framework

Fail2ban is an intrusion prevention software framework. Written in the Python programming language, it is designed to prevent brute-force attacks. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, such as iptables or TCP Wrapper.

Fail2ban operates by monitoring log files (e.g. /var/log/auth.log, /var/log/apache/access.log, etc.) for selected entries and running scripts based on them. Most commonly this is used to block selected IP addresses that may belong to hosts that are trying to breach the system’s security. It can ban any host IP address that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator.

It includes support for both IPv4 and IPv6. Optionally longer bans can be custom-configured for “recidivist” abusers that keep coming back. Fail2ban is typically set up to unban a blocked host within a certain period, so as to not “lock out” any genuine connections that may have been temporarily misconfigured. However, an unban time of several minutes is usually enough to stop a network connection being flooded by malicious connections, as well as reducing the likelihood of a successful dictionary attack.

How to use Postfix SASL authentication

SMTP servers must decide whether an SMTP client is authorized to send e-mail that the server is responsible for.

Simple Authentication and Security Layer (SASL) Integration Postfix

This guide describes how to extend an MTA (Mail Transport Agent) Postfix on CentOS 7 with CyrusSASL for SMTP authentication (SMTP-Auth). After that, clients can send e-mail using SMTP-Auth. This manual is checked under CentOS Linux release 7.7.1908 (Core), with Postfix v2.10.1 and Cyrus-SASL 2.1.26. It is assumed that the postfix is already configured and Transport Layer Security (TLS) is implemented.

Postfix does not implement the SASL Library itself, but uses existing implementations as building blocks. This means that some SASL-related configuration files belong to Postfix, while other configuration files belong to the specific SASL implementation that Postfix will use.

How to Install Cyrus-SASL

When root install the packages with the following command:

yum install cyrus-sasl cyrus-sasl-plain -y

The individual SASL mechanisms are installed as RPMs.

The following is the integration for Postfix, for this purpose make the modification in the file /etc/postfix/

 service type private unpriv chroot wakeup maxproc command + args
 (yes)   (yes)   (yes)   ( never) (100)
 smtps inet n - n - - smtpd
   -o syslog_name=postfix/smtps
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

For Postfix to work with SASL, Postfix must not run in the chroot directory, line smtps at position 5 (n).

Configure SMTP-Auth for local users, we edit the Postfix file /etc/postfix/

smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = !gssapi, !login, static:all
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_sasl_path = smtpd

Cyrus-SASL is configured by two files. The first file /etc/sysconfig/saslauthd can be transferred:

# Directory in which to place saslauthd's listening socket, pid file, and so
# on.  This directory must already exist.
# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
# Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
# for the list of accepted flags.

The SASL mechanisms PLAIN and LOGIN, CRAM-MD5 and DIGEST-MD5 are often used, for which the configuration file /etc/sasl2/smtpd.conf is responsible, the deployment was also performed during installation:

pwcheck_method: saslauthd
mech_list: plain login CRAM-MD5 DIGEST-MD5

Now start Cyrus-SASL Library Daemon and activate the systemd autostart, then re-start Postfix:

systemctl start saslauthd
systemctl enable saslauthd
systemctl restart postfix 

SMTP Submission Support on port 587 is now enabled, and this can be verified with the following command:

ss -tuln4 | grep 587
tcp   LISTEN      0      100         *:587         *:*

To authenticate to the SMTP gateway, a user is now created to send e-mail through the MTA:

adduser -M -s /sbin/nologin User24
passwd User24

A local UserID is sufficient for our request here, Cyrus-SASL support LDAP and SQL to interact, for example, Kopano or an AD directory service.

Testing Cyrus-SASL SMTP-Auth

The mechanisms for authentication within STARTTLS can be verified with OpenSSL:

openssl s_client -connect -starttls smtp

In the output of openssl pass an EHLO:

 250-SIZE 27262976
 250 DSN

If OpenSSL is not available, telnet can also be used for this purpose, it is connected to the gateway via port 587, PuTTY or KiTTY can also be used for this purpose.

Now we want to authenticate to the gateway (MTA). The user name and password must be transferred to the SMTP gateway in base64 encoded format, and enter the following command lines to obtain the base64 encoding for the user name and password.

echo -en "userxy" | base64
echo -en "password" | base64

The SASL SMTP-Auth configuration and authentication is checked as follows by running the following lines in the terminal, after entering AUTH LOGIN to insert the user name encoded with Base64 and the password.

telnet 25
Connected to
Escape character is 'A]'.
220 ESMTP MAIL Service ready at Sat, 12 Mar 2019 09:26:12
EHLO Hello
250-SIZE 2097152
250 OK
334 VXClcm5hbWU6
334 UGFzc4dvcmQ8
235 2.7.0 Authentication successful

The SMTP-Auth edition of Postfix with Cyrus-SASL.

Insert the above encoded credentials at the 334 prompts, here at line 24 as userxy and at line 26 our password.

  A 250 STARTTLS in the output shows the prerequisites that the plaintext username with password is transmitted to the SMTP gateway protected by STARTTLS.

Another easy way to test an SMTP gateway is SMTPConsole.
