1 Topic by minhhoang

  • minhhoang
  • Member
  • Offline
  • Registered: 2014-10-31
  • Posts: 11

Topic: Can not IP address to blacklist

==== Required information ====
- iRedMail version: 0.8.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: CentOS 6.5 64bit
- Related log if you're reporting an issue:
- iRedAdmin-pro 1.8.2
====

Dear support,

I add IP address to blacklist, the message is: Records were successfully added.
However when reviewing the Blacklsits I can not find any any record in both All blaclists and IP Address pannel.

I can add domain to blacklists. However, there is no affect, spam still come and smtp connection still be ESTABLISHED.

Spam only stopped when I add the IP to Iptables.

Thanks and best regards,
Minh

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,768

Re: Can not IP address to blacklist

Are you running Policyd or Cluebringer for white/blacklist? Any log in Postfix log related to this spam IP?

3 Reply by minhhoang

  • minhhoang
  • Member
  • Offline
  • Registered: 2014-10-31
  • Posts: 11

Re: Can not IP address to blacklist

Dear ZhangHuangbin

Yes, I already select YES for Cluebringer when install iredmail. In fact, I not sure this is spam or not and I already email to postmaster to let him know about his mail server keeps sending mail to mine.

Here are some log from /var/log/maillog

Oct 31 14:03:27 mx1 postfix/smtpd[28849]: connect from 155.63.253.84.static.wline.lns.sme.cust.swisscom.ch[84.253.63.155]
Oct 31 14:03:27 mx1 postfix/smtpd[28863]: connect from 155.63.253.84.static.wline.lns.sme.cust.swisscom.ch[84.253.63.155]
Oct 31 14:03:27 mx1 postfix/smtpd[28847]: connect from 155.63.253.84.static.wline.lns.sme.cust.swisscom.ch[84.253.63.155]
Oct 31 14:03:28 mx1 cbpolicyd[23323]: module=Greylisting, action=pass, host=84.253.63.155, helo=tlsrv03.topline-electronic.ch, from=, to=daithanh@sptfone.vn, reason=authenticated
Oct 31 14:03:28 mx1 cbpolicyd[23323]: module=Quotas, action=reject, host=84.253.63.155, helo=tlsrv03.topline-electronic.ch, from=, to=daithanh@sptfone.vn, reason=quota_match, policy=3, quota=2, limit=2, track=Recipient:daithanh@sptfone.vn, counter=MessageCount, quota=31.30/30 (104.3%)
Oct 31 14:03:28 mx1 postfix/smtpd[28849]: NOQUEUE: reject: RCPT from 155.63.253.84.static.wline.lns.sme.cust.swisscom.ch[84.253.63.155]: 554 5.7.1 <daithanh@sptfone.vn>: Recipient address rejected: Quota exceeded (30 messages in 3600 seconds); from=<> to=<daithanh@sptfone.vn> proto=ESMTP helo=<tlsrv03.topline-electronic.ch>
Oct 31 14:03:28 mx1 postfix/smtpd[28849]: too many errors after RCPT from 155.63.253.84.static.wline.lns.sme.cust.swisscom.ch[84.253.63.155]
Oct 31 14:03:28 mx1 postfix/smtpd[28849]: disconnect from 155.63.253.84.static.wline.lns.sme.cust.swisscom.ch[84.253.63.155]
Oct 31 14:03:28 mx1 cbpolicyd[6506]: module=Greylisting, action=pass, host=84.253.63.155, helo=tlsrv03.topline-electronic.ch, from=, to=daithanh@sptfone.vn, reason=authenticated
Oct 31 14:03:28 mx1 cbpolicyd[6506]: module=Quotas, action=reject, host=84.253.63.155, helo=tlsrv03.topline-electronic.ch, from=, to=daithanh@sptfone.vn, reason=quota_match, policy=3, quota=2, limit=2, track=Recipient:daithanh@sptfone.vn, counter=MessageCount, quota=31.30/30 (104.3%)
Oct 31 14:03:28 mx1 postfix/smtpd[28863]: NOQUEUE: reject: RCPT from 155.63.253.84.static.wline.lns.sme.cust.swisscom.ch[84.253.63.155]: 554 5.7.1 <daithanh@sptfone.vn>: Recipient address rejected: Quota exceeded (30 messages in 3600 seconds); from=<> to=<daithanh@sptfone.vn> proto=ESMTP helo=<tlsrv03.topline-electronic.ch>
Oct 31 14:03:28 mx1 postfix/smtpd[28863]: too many errors after RCPT from 155.63.253.84.static.wline.lns.sme.cust.swisscom.ch[84.253.63.155]
Oct 31 14:03:28 mx1 postfix/smtpd[28863]: disconnect from 155.63.253.84.static.wline.lns.sme.cust.swisscom.ch[84.253.63.155]
Oct 31 14:03:28 mx1 cbpolicyd[11478]: module=Greylisting, action=pass, host=84.253.63.155, helo=tlsrv03.topline-electronic.ch, from=, to=daithanh@sptfone.vn, reason=authenticated
Oct 31 14:03:28 mx1 cbpolicyd[11478]: module=Quotas, action=reject, host=84.253.63.155, helo=tlsrv03.topline-electronic.ch, from=, to=daithanh@sptfone.vn, reason=quota_match, policy=3, quota=2, limit=2, track=Recipient:daithanh@sptfone.vn, counter=MessageCount, quota=31.30/30 (104.3%)
Oct 31 14:03:28 mx1 postfix/smtpd[28847]: NOQUEUE: reject: RCPT from 155.63.253.84.static.wline.lns.sme.cust.swisscom.ch[84.253.63.155]: 554 5.7.1 <daithanh@sptfone.vn>: Recipient address rejected: Quota exceeded (30 messages in 3600 seconds); from=<> to=<daithanh@sptfone.vn> proto=ESMTP helo=<tlsrv03.topline-electronic.ch>
Oct 31 14:03:28 mx1 postfix/smtpd[28847]: too many errors after RCPT from 155.63.253.84.static.wline.lns.sme.cust.swisscom.ch[84.253.63.155]
Oct 31 14:03:28 mx1 postfix/smtpd[28847]: disconnect from 155.63.253.84.static.wline.lns.sme.cust.swisscom.ch[84.253.63.155]
Oct 31 14:10:21 mx1 postfix/anvil[26950]: statistics: max connection rate 9/60s for (smtp:84.253.63.155) at Oct 31 14:02:26
Oct 31 14:10:21 mx1 postfix/anvil[26950]: statistics: max connection count 3 for (smtp:84.253.63.155) at Oct 31 14:02:19

Here I see a lot of smtp connection from "spam" server:

[root@mx1 ~]# netstat -np --protocol=inet | grep ESTABLISHED | grep :25
tcp        0    107 my mail server ip:25             84.253.63.155:12033         ESTABLISHED 29786/smtpd
tcp        0    171 my mail server ip:25             84.253.63.155:12056         ESTABLISHED 29809/smtpd
tcp        0    107  my mail server ip:25             84.253.63.155:12039         ESTABLISHED 29792/smtpd
tcp        0    107  my mail server ip:25             84.253.63.155:12030         ESTABLISHED 29556/smtpd
tcp        0     14  my mail server ip:25             84.253.63.155:12049         ESTABLISHED 29802/smtpd
tcp        0   1663  my mail server ip:25             49.94.31.34:57333           ESTABLISHED 29852/smtpd
tcp        0    171  my mail server ip:25             84.253.63.155:12055         ESTABLISHED 29808/smtpd
tcp        0    107  my mail server ip:25             84.253.63.155:12034         ESTABLISHED 29787/smtpd
tcp        0     34  my mail server ip:25             84.253.63.155:12070         ESTABLISHED 29843/smtpd
tcp        0     14  my mail server ip:25             84.253.63.155:12036         ESTABLISHED 29789/smtpd
tcp        0    107  my mail server ip:25             84.253.63.155:12035         ESTABLISHED 29788/smtpd
tcp        0     14  my mail server ip:25             84.253.63.155:12047         ESTABLISHED 29800/smtpd
tcp        0     34  my mail server ip:25             84.253.63.155:12071         ESTABLISHED 29844/smtpd
tcp        0    107 my mail server ip:25             84.253.63.155:12026         ESTABLISHED 29559/smtpd
tcp        0     14  my mail server ip:25             84.253.63.155:12041         ESTABLISHED 29794/smtpd
tcp        0    171  my mail server ip:25             84.253.63.155:12050         ESTABLISHED 29803/smtpd
tcp        0     14  my mail server ip:25             84.253.63.155:12044         ESTABLISHED 29797/smtpd
tcp        0    593  my mail server ip:25             49.93.227.149:47845         ESTABLISHED 29850/smtpd
tcp        0     34  my mail server ip:25             84.253.63.155:12067         ESTABLISHED 29827/smtpd
tcp        0     34 my mail server ip:25             84.253.63.155:12075         ESTABLISHED 29848/smtpd
tcp        0     34  my mail server ip:25             84.253.63.155:12068         ESTABLISHED 29835/smtpd
tcp        0   1486  my mail server ip:25             110.176.89.48:33315         ESTABLISHED 29871/smtpd
tcp        0    171  my mail server ip:25             84.253.63.155:12060         ESTABLISHED 29811/smtpd
tcp        0     14  my mail server ip:25             84.253.63.155:12043         ESTABLISHED 29796/smtpd
tcp        0     34  my mail server ip:25             84.253.63.155:12074         ESTABLISHED 29847/smtpd
tcp        0     14  my mail server ip:25             84.253.63.155:12031         ESTABLISHED 29783/smtpd
tcp        0    171  my mail server ip:25             84.253.63.155:12053         ESTABLISHED 29806/smtpd
tcp        0    107  my mail server ip:25             84.253.63.155:12032         ESTABLISHED 29785/smtpd
tcp        0     34  my mail server ip:25             84.253.63.155:12073         ESTABLISHED 29846/smtpd
tcp        0     14 my mail server ip:25             84.253.63.155:12046         ESTABLISHED 29799/smtpd
tcp        0    107  my mail server ip:25             84.253.63.155:12040         ESTABLISHED 29793/smtpd
tcp        0     34  my mail server ip:25             84.253.63.155:12063         ESTABLISHED 29813/smtpd
tcp        0     14  my mail server ip:25             84.253.63.155:12045         ESTABLISHED 29798/smtpd
tcp        0     34 my mail server ip:25             84.253.63.155:12065         ESTABLISHED 29815/smtpd
tcp        0     34 my mail server ip:25             84.253.63.155:12069         ESTABLISHED 29839/smtpd
tcp        0     34  my mail server ip:25             84.253.63.155:12072         ESTABLISHED 29845/smtpd
tcp        0     14  my mail server ip:25             84.253.63.155:12048         ESTABLISHED 29801/smtpd
tcp        0     34 my mail server ip:25             84.253.63.155:12066         ESTABLISHED 29819/smtpd
tcp        0     34  my mail server ip:25             84.253.63.155:12076         ESTABLISHED 29849/smtpd
tcp        0    107  my mail server ip:25             84.253.63.155:12038         ESTABLISHED 29791/smtpd
tcp        0    171 my mail server ip:25             84.253.63.155:12057         ESTABLISHED 29810/smtpd
tcp        0    107  my mail server ip:25             84.253.63.155:12037         ESTABLISHED 29790/smtpd
tcp        0     14 my mail server ip:25             84.253.63.155:12042         ESTABLISHED 29795/smtpd
tcp        0    171 my mail server ip:25             84.253.63.155:12052         ESTABLISHED 29805/smtpd
tcp        0    171 my mail server ip:25             84.253.63.155:12054         ESTABLISHED 29807/smtpd
tcp        0    171  my mail server ip:25             84.253.63.155:12051         ESTABLISHED 29804/smtpd

Best regards

4 Reply by minhhoang

  • minhhoang
  • Member
  • Offline
  • Registered: 2014-10-31
  • Posts: 11

Re: Can not IP address to blacklist

Dear ZhangHuangbin,

This is the output of netstat -ntlp | grep -i 1003

tcp        0      0 127.0.0.1:10031             0.0.0.0:*                   LISTEN      30642/perl

Is this mean cbpolicyd is running?

Regards,
Minh.

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,768

Re: Can not IP address to blacklist

minhhoang wrote:

Is this mean cbpolicyd is running?

Yes, Cluebringer is listening on port 10031.

The log you pasted means Cluebringer rejected the client due to your throttling setting.

6 Reply by minhhoang

  • minhhoang
  • Member
  • Offline
  • Registered: 2014-10-31
  • Posts: 11

Re: Can not IP address to blacklist

Yes, I enable throttling. I also want to add this IP to blacklist. Do you have any idea to check how we can fix this issue in Iredadmin Pro?

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,768

Re: Can not IP address to blacklist

minhhoang wrote:

I add IP address to blacklist, the message is: Records were successfully added.
However when reviewing the Blacklsits I can not find any any record in both All blaclists and IP Address pannel.

If you add IP as blacklist with iRedAdmin-Pro, this IP should be rejected by Cluebringer. Not sure why it doesn't work in your case.
Is it possible to let me login to your server to debug iRedAdmin-Pro and Cluebringer? So that i can make sure both of them are working as expected.

8 Reply by minhhoang

  • minhhoang
  • Member
  • Offline
  • Registered: 2014-10-31
  • Posts: 11

Re: Can not IP address to blacklist

Thank ZhangHuangbin,

Last night I decided to restart whole server. After that, I can add IP to blacklist and it's OK now. I think that I had problem with mysql. However, it seems that I have another problem: Mail sending and receiving is very slow from both pop3 account and roundcube webmail. I often receive the messages like: session timeout, internal server error/incorrec configuration, service not available (error code 500),... Maybe do I open new thread to have you help on this?

For IP Blacklist, now I can make this thread SOLVED.

Many thanks and best regards,
Minh

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,768

Re: Can not IP address to blacklist

minhhoang wrote:

Maybe do I open new thread to have you help on this?

Yes, please.

And don't forget to paste related error message, log in your post, so that others can help troubleshoot.

10 Reply by minhhoang (edited by minhhoang 2014-11-05 12:43:21)

  • minhhoang
  • Member
  • Offline
  • Registered: 2014-10-31
  • Posts: 11

Re: Can not IP address to blacklist

Dear ZhangHuangbin,

Sorry for requesting reopening this thread. Here is my situation:
In Add whitelist and blacklist, I add, for example, 3 IPs to Blacklist:
112.109.90.17
84.253.63.155
84.83.63.155
I got "records sucessfully updated"
However when coming to All blacklist pannel, I only see:
112.109.90.17
84.83.63.155
So it's lack of 84.253.63.155
Could you please help me find out why because 2 days ago I added and saw 84.253.63.155 in all blacklist pannel (After that I deleted this IP to check fail2ban if it can ban this IP automatically).

If you still want to access my server to check, please let me know they way you want to use to access my server.

Is it possible to let me login to your server to debug iRedAdmin-Pro and Cluebringer? So that i can make sure both of them are working as expected.

Thank and best regards,
Minh

11 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,768

Re: Can not IP address to blacklist

minhhoang wrote:

So it's lack of 84.253.63.155

If it worked last time you added this IP, then it should work as expected. Could you please try again? make sure no space between digit numbers and dots.

12 Reply by minhhoang

  • minhhoang
  • Member
  • Offline
  • Registered: 2014-10-31
  • Posts: 11

Re: Can not IP address to blacklist

Dear Zhang,

I tried a lot of time. It's very weird. I can add 84.249.63.155 successfully but when adding 84.250.63.155, 84.251.63.155, 84.252.63.155, 84.253.63.155, 84.254.63.155, system message is successully but those IPs do not show up in IP blacklist pannel.

Minh.

13 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,768

Re: Can not IP address to blacklist

i can reproduce this issue with the latest development version of iRedAdmin-Pro. Will try to fix it and come back to you later. Thanks for your feedback and patience. smile

14 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,768

Re: Can not IP address to blacklist

Please try below patch, works for me.

diff -r fc20471f5735 libs/iredutils.py
--- a/libs/iredutils.py    Wed Nov 05 16:19:20 2014 +0800
+++ b/libs/iredutils.py    Thu Nov 06 11:27:37 2014 +0800
@@ -48,19 +48,13 @@
         return False
 
 
+# Valid IP address
 def is_strict_ip(s):
-    # Regular express to extract valid IP address fields
-    regex = r'\b25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?\.25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?\.25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?\.25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?\b'
-    fields = re.findall(regex, s)
+    regex = r'(?:[\d]{1,3})\.(?:[\d]{1,3})\.(?:[\d]{1,3})\.(?:[\d]{1,3})'
+    if re.compile(regex + '$', re.IGNORECASE).match(s):
+        return True
 
-    if not len(fields) == 4 or not '.'.join(fields) == s:
-        return False
-
-    for fld in fields:
-        if not fld.isdigit() or not (0 <= int(fld) <= 255):
-            return False
-
-    return True
+    return False
 
 
 # Custom Jinja2 filters.

15 Reply by minhhoang

  • minhhoang
  • Member
  • Offline
  • Registered: 2014-10-31
  • Posts: 11

Re: Can not IP address to blacklist

Thank Zang alot,

Please let me know howto apply this patch. This is the first time I work with patch. Can I do as the following
1. Create file iredutils.patch with your providing content, save it in /var/www/iRedAdmin-Pro-MySQL-1.8.2/libs
2. Backup file iredutils.py
3. run command: patch < iredutils.patch

Regards,
Minh

16 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,768

Re: Can not IP address to blacklist

Try below steps:

1: Create file 'xxx.patch' with provided content, save it in any directory. e.g. /root/xxx.patch.
2: Backup file /var/www/iRedAdmin-Pro-MySQL-1.8.2/libs/iredutils.py.
3: Open terminal, and verify this patch with command 'patch --dry-run':

# cd /var/www/iRedAdmin-Pro-MySQL-1.8.2/
# patch --dry-run -p1 < /root/xxx.patch
patching file libs/iredutils.py

4: if you see output like above and no error/warning message, it's safe to patch it immediately (without '--dry-run'):

# patch -p1 < /root/xxx.patch

5: Restart Apache service to load patched code.

17 Reply by minhhoang

  • minhhoang
  • Member
  • Offline
  • Registered: 2014-10-31
  • Posts: 11

Re: Can not IP address to blacklist

ZhangHuangbin wrote:

Try below steps:
# patch --dry-run -p1 < /root/xxx.patch
patching file libs/iredutils.py
4: if you see output like above and no error/warning message, it's safe to patch it immediately (without '--dry-run'):

Dear Zhang,

My output when running --dry-run is:

[root@mx1 iRedAdmin-Pro-MySQL-1.8.2]# patch --dry-run -p1 < /root/iredutils.patch
patching file libs/iredutils.py
Hunk #1 succeeded at 48 with fuzz 1.

Is it OK? I googled to find the meaning of Hunk #1 succeeded at 48 with fuzz 1 but can not find what does it mean by "at 48 with buzz 1"

18 Reply by minhhoang

  • minhhoang
  • Member
  • Offline
  • Registered: 2014-10-31
  • Posts: 11

Re: Can not IP address to blacklist

Dear Zhang,

I confirm that after patching, I now can add IP to blacklist successfully. Thank for your support. I can mark this thread as SOLVED again.

All the best to you.
Minh.