Experiencing an ongoing issue connecting to our mail server from clients using the same ISP. Issue exists on two servers both running ClearOS 7, using separate IP, separate locations. The problem is intermittent, but ongoing. Client computers using the same ISP as the server (in this case Spectrum Business Class) will intermittently not be able to connect. The problem may last a few hours, a few days, or few weeks and then clears-up, for a while, but eventually returns. If the client computer / phone / tablet switches ISPs (using a mobile hotspot or changing locations where a different ISP is in use) the problem is eliminated. I've contacted Spectrum on multiple occasions and have been told the issue is not on their end, but it seems that it must be if a user can switch connections and the problem goes away and then returns as soon as the connection is switched back to Spectrum.
Has anyone in this group experienced a similar issue? I did have one Spectrum technician tell me he had another customer the same problem, but had never found a solution.
Has anyone in this group experienced a similar issue? I did have one Spectrum technician tell me he had another customer the same problem, but had never found a solution.
Share this post:
Responses (4)
-
Accepted Answer
Difficult one. You can check if packets are arriving with something like tcpdump:
For your_computer's_wan_ip, google "what is my ip" and adjust the ports. IMAP is 143 and IMAPS is 993.tcpdump -nni your_wan_interface '(port (25 or 587) and host your_computer's_wan_ip)'
If packets are arriving, it is a ClearOS problem. If not, it is elsewhere.
If it is elsewhere, it could be ISP routing or perhaps DNS. When you get the failures, check a DNS lookup gets the right IP. If it does not and you have a fixed IP, consider putting it in the computer's host file or switch the computer to use different DNS server - neither are great solutions. Also when you get the failures, does a traceroute (tracert in Windows) to you work? Compare it with a working trace. -
Accepted Answer
-
Accepted Answer
Update I was barking up the wrong tree. The issue isn't with our ISP, it appears there is a user whose email is set with the wrong password which in turn cauese fail2ban to blacklist our IP address. When the ban expires, email works for a period of time until there are too many failed attempts which explains the intermittent nature of the problem. Now I just need to figure out which log will tell me the username causing the ban. I tried whitelisting the IP under the Intrusion Prevention link in the WebUI, but that apparently doesn't apply to fail2ban.
I'm sure the logs will tell me what i need to know now that I've identified the issue, I just need to set aside the time to research a little more. -
Accepted Answer
Some ideas. Are these users on your LAN but accessing e-mails via an FQDN which Resolves to your WAN? If so you could (should?) and an entry to your DNS server that resolves the FQDN to your ClearOS LAN IP. You can then whitelist your LAN in the Attack Detector webconfig.
If you look at the Attack Detector docs, you could whitelist your WAN. This should be fairly safe. The whitelisting is manual and completely different from the IDS/IPS whitelist.
Hunting down a user may be harder, In the mail log you can see "authentication failure" messages, certainly for STARTTLS and probably for SMTP (which I don't use). You then triangulate them against the failure messages in /var/log/secure to get the username. Just check the ones with your IP.
It may be similar for imap but I purge imap messages every week so I can't look.
Perhaps a starting point is the fail2ban log. Look for Ban messages for the date and time. You could even look for Found messages. This should be within a couple of seconds of the corresponding event in the mail log, then triangulate to /var/log/secure.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »