Permanent block ratelimited user with Rspamd and fail2ban

This one was a little tricky. I had few mail servers with a lot of accounts. I setup rspamd instance in proxy mode. Then I called rspamd on every mail server with postfix milter. Rspamd works beautifully, ratelimiting is very useful too. But I in case of abusive mail sender, I wanted to permanently block IP from which spam originated. You can’t permanently block IPs with rspamd because ratelimit module can’t add IP address to some file.

So Fail2ban came to mind. I setup fail2ban on my rspamd installation and create filter which watches rspamd log and wait for cases when ratelimit is triggered. When fail2ban counts 10 cases of triggered ratelimit, filter puts IP of ratelimited sender to special blacklist file ( which is included in rspamd multimap  definition – permanent block. Spamer IP is blocked permanently this way. 

I had few cases when some users password was stolen and spam was sending. Fail2ban and rspamd sucsessfuly banned those IPs. I also created action which will notify administrator when fail2ban blocks IP.

Rspamd ratelimit config:

# limit outgoing authenticated users
user = {
bucket = [
burst = 10; # capacity of 10 messages in bucket
rate = "1 / 1min"; # leak 1 messages per minute
burst = 100; # capacity of 100 messages in bucket
rate = "30 / 60min"; # leak 30 messages per hour

Rspamd multimap definition for blocking blacklisted IPs:

# block users exceeded ratelimits 5 times
type = "ip";
prefilter = "true";
map = "${LOCAL_CONFDIR}/local.d/maps/";
action = "reject";

Fail2ban jail configuration:

enabled = true
action = rspamd-banip
backend = auto
filter = rspamd-ratelimit
logpath = /var/log/rspamd/rspamd.log
maxretry = 10
bantime = 3600

Fail2ban filter for rspamd – rspamd-ratelimit.conf:

# Fail2Ban filter for rspamd ratelimit
before = common.conf
_daemon = rspamd_proxy
failregex = ^.*rspamd_proxy.*ip: .*?Ratelimit ".*?" exceeded

# Author: Igor Mazej

Fail2ban action for rspamd – rspamd-banip.conf:

# Author: Igor Mazej
actionstart = touch /etc/rspamd/local.d/maps/
actionban = printf %%b "\n" >> /etc/rspamd/local.d/maps/
actionunban = sed -i "//d" -i.backup /etc/rspamd/local.d/maps/

Mass email migration with imapsync

You may want to migrate larger number of email accounts to another server. If there are even different types of mail servers, than imapsync is one of the best solutions for migration. With script below, you’ll be able to migrate multi accounts without repeating and running imapsync again and again.

Here is the script. Just create file, e.g., and paste code below in it.


# Source and destination mail server setting

# Select appropriate auth mechanism.
#AUTHMECH1="--authmech1 LOGIN"
#AUTHMECH2="--authmech2 LOGIN"

# Uncomment if you want to start test/dryrun only. No emails will be transfered!

# Path to imapsync

# Users file
if [ -z "$1" ]
echo "No users text file given." 

if [ ! -f "$1" ]
echo "Given users text file \"$1\" does not exist" 

# start loop
{ while IFS=';' read  u1 p1 u2 p2; do
	$imapsync ${TESTONLY} ${AUTHMECH1} --host1 ${SERVER1} --user1 "$u1" --password1 "$p1" ${AUTHMECH2} --host2 ${SERVER2} --user2 "$u2" --password2 "$p2"
done ; } < $1

Don’t forget to chmod your script so that will be executable.

chmod +x

Now you’ll have to create a simple text file that will contain login informations for each email account that you want to transfer. Create text file, for example, mail-users.txt and add login informations like shown bellow. Login informations must be separated with ;. username1 is username on old server, username2 is username on new server.;password1;username2;password2;password1;;password2

Finaly, lets transfer emails. Simply run your script like shown below. Use text file with login informations that you created. Imapsync will try to transfer all accounts that are in mail-users.txt.

root@myserver [~]# ./ mail-users.txt

© 2020
Hosted by Hosterdam

About author