Forums

Resolved
0 votes
Experiencing an ongoing issue connecting to our mail server from clients using the same ISP. Issue exists on two servers both running ClearOS 7, using separate IP, separate locations. The problem is intermittent, but ongoing. Client computers using the same ISP as the server (in this case Spectrum Business Class) will intermittently not be able to connect. The problem may last a few hours, a few days, or few weeks and then clears-up, for a while, but eventually returns. If the client computer / phone / tablet switches ISPs (using a mobile hotspot or changing locations where a different ISP is in use) the problem is eliminated. I've contacted Spectrum on multiple occasions and have been told the issue is not on their end, but it seems that it must be if a user can switch connections and the problem goes away and then returns as soon as the connection is switched back to Spectrum.

Has anyone in this group experienced a similar issue? I did have one Spectrum technician tell me he had another customer the same problem, but had never found a solution.
Wednesday, September 22 2021, 06:09 PM
Share this post:
Responses (4)
  • Accepted Answer

    Friday, October 29 2021, 06:50 PM - #Permalink
    Resolved
    0 votes
    Some ideas. Are these users on your LAN but accessing e-mails via an FQDN which Resolves to your WAN? If so you could (should?) and an entry to your DNS server that resolves the FQDN to your ClearOS LAN IP. You can then whitelist your LAN in the Attack Detector webconfig.

    If you look at the Attack Detector docs, you could whitelist your WAN. This should be fairly safe. The whitelisting is manual and completely different from the IDS/IPS whitelist.

    Hunting down a user may be harder, In the mail log you can see "authentication failure" messages, certainly for STARTTLS and probably for SMTP (which I don't use). You then triangulate them against the failure messages in /var/log/secure to get the username. Just check the ones with your IP.

    It may be similar for imap but I purge imap messages every week so I can't look.

    Perhaps a starting point is the fail2ban log. Look for Ban messages for the date and time. You could even look for Found messages. This should be within a couple of seconds of the corresponding event in the mail log, then triangulate to /var/log/secure.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, October 29 2021, 06:21 PM - #Permalink
    Resolved
    0 votes
    Update I was barking up the wrong tree. The issue isn't with our ISP, it appears there is a user whose email is set with the wrong password which in turn cauese fail2ban to blacklist our IP address. When the ban expires, email works for a period of time until there are too many failed attempts which explains the intermittent nature of the problem. Now I just need to figure out which log will tell me the username causing the ban. I tried whitelisting the IP under the Intrusion Prevention link in the WebUI, but that apparently doesn't apply to fail2ban.

    I'm sure the logs will tell me what i need to know now that I've identified the issue, I just need to set aside the time to research a little more.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, September 23 2021, 10:42 PM - #Permalink
    Resolved
    0 votes
    Thanks, Nick. I will try your suggestions to see if I can locate the source of the issue. I'm predisposed to think it's with our ISP as changing there are never any issues when the devices are using different ISPs. As soon as I have time to run the tcpdump, I will report back. Good tips.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, September 23 2021, 08:48 AM - #Permalink
    Resolved
    0 votes
    Difficult one. You can check if packets are arriving with something like tcpdump:
    tcpdump -nni your_wan_interface '(port (25 or 587) and host your_computer's_wan_ip)'
    For your_computer's_wan_ip, google "what is my ip" and adjust the ports. IMAP is 143 and IMAPS is 993.

    If packets are arriving, it is a ClearOS problem. If not, it is elsewhere.

    If it is elsewhere, it could be ISP routing or perhaps DNS. When you get the failures, check a DNS lookup gets the right IP. If it does not and you have a fixed IP, consider putting it in the computer's host file or switch the computer to use different DNS server - neither are great solutions. Also when you get the failures, does a traceroute (tracert in Windows) to you work? Compare it with a working trace.
    Like
    1
    The reply is currently minimized Show
Your Reply