UFW Blocking Mailserver Traffic – How to Allow Dovecot, Postfix, MariaDB, Rspamd

As described in the title, I am running a dovecot/postfix/Rspamd Mailservercombo with a MariaDB behind it.

I noticed how, in the last days, I couldn't receive/send any mail from my e-mail clients anymore. Thunderbird noticed too: It is not possible to connect with the SMTP Server anymore.

The only things I changed around this time are:

• I added a phpmyadmin access with additional linux user query from the apache2 Server and
• (on recommendation of a "friend") installed fail2ban as an additional protection against bruteforce requests against the webservices. I left it on the default settings, only changed the bantime to 1 hr.

Since then I removed and purged fail2ban, sure it was the problem. It wasn't. (?)

After reading the following output from syslog I traced it back to UFW:

syslog output (masked)

UFW itself has following configuration:

# cat /etc/ufw/user.rules
*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### RULES ###

### tuple ### allow tcp 22 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 22 -j ACCEPT

### tuple ### allow tcp 2222 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 2222 -j ACCEPT

### tuple ### allow tcp 25 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 25 -j ACCEPT

### tuple ### allow tcp 465 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 465 -j ACCEPT

### tuple ### allow tcp 587 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 587 -j ACCEPT

### tuple ### allow tcp 143 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 143 -j ACCEPT

### tuple ### allow tcp 993 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 993 -j ACCEPT

### tuple ### allow tcp 4190 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 4190 -j ACCEPT

### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 80 -j ACCEPT

### tuple ### allow tcp 443 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 443 -j ACCEPT

### END RULES ###

### LOGGING ###
-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
### END LOGGING ###

### RATE LIMITING ###
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
### END RATE LIMITING ###
COMMIT

As you can see on the last few entries, it seems to maybe be triggered by ufw-after-logging-input, ufw-after-logging-forward or ufw-logging-deny. However, this is where my 'knowledge' ends right now. The only thing I additionaly noticed was that the following line was marked red in the user.rules, but that could just be nothing…

User.rules in the CLI

I re-installed fail2ban to do this:

# fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:   sshd

# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     158
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   112.xxx.xxx.xxx

# fail2ban-client set sshd unbanip 112.xxx.xxx.xxx
112.xxx.xxx.xxx

# fail2ban-client status sshd
[...]
   `- Banned IP list:

/var/log/auth.log lists many of this kind of entries, all from the SAME IP:

Jun 25 19:56:51 mail sshd[26691]: Connection closed by 112.xxx.xxx.xxx port 60391 [preauth]
Jun 25 19:56:52 mail sshd[26693]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.xxx.xxx.xxx  user=root
Jun 25 19:56:54 mail sshd[26693]: Failed password for root from 112.xxx.xxx.xxx port 64328 ssh2
Jun 25 19:56:54 mail sshd[26693]: Connection closed by authenticating user root 112.xxx.xxx.xxx port 64328 [preauth]
Jun 25 19:57:03 mail sshd[26697]: Connection closed by 112.xxx.xxx.xxx port 50264 [preauth]

This can't be me as I am never logging in with root.

I searched through plenty of sites but couldn't find any useful lead on how to solve this. It really seems to have come from one of the recent changes I made, although I can't think of anything more than maybe a not deleted rule that may be still around after purging and removing fail2ban.

Some things I also tried in the process of fixing it:
– restarting and stop/starting UFW
– restarting apache2
– restarting dovecot
– looking on Rspamd for event entries on sent test-mails (none were received since the time around the changes I made!)
– using another mailclient
– adding an acceptance rule for Port 25 to UFW (did not change anything)

P.S.: This server is running Ubuntu.

Is there any way to get my setup back to a working state?