Fail2ban email via SMTP fails

Question

Fail2ban email via SMTP fails

altafkassam opened this issue a year ago · 7 comments

I configured fail2ban to allow the sending of email as described in Wiki, however, errors are displayed in the fail2ban.log. SMTP is set up correctly in .env as I get emails from my Bitwarden instance. Here's the error (gmail email removed):

2023-10-24 11:29:17,129 fail2ban.utils [1]: ERROR 79d8f4523290 -- exec: printf %b "Subject: [Fail2Ban] bitwarden-admin: started on vaultwarden.us-west1-c.c.main-depot-401221.internal
Date: LC_ALL=C date +"%a, %d %h %Y %T %z"
From: Fail2Ban -------@gmail.com
To: -----@gmail.com\n
Hi,\n
The jail bitwarden-admin has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f "-----@gmail.com" "------@gmail.com"
2023-10-24 11:29:17,129 fail2ban.utils [1]: ERROR 79d8f4523290 -- stderr: 'sendmail: Cannot open smtp.gmail.com:465'
2023-10-24 11:29:17,130 fail2ban.utils [1]: ERROR 79d8f4523290 -- returned 1
2023-10-24 11:29:17,130 fail2ban.actions [1]: ERROR Failed to start jail 'bitwarden-admin' action 'sendmail-whois-lines': Error starting action Jail('bitwarden-admin')/sendmail-whois-lines: 'Script error'
2023-10-24 11:29:27,160 fail2ban.utils [1]: ERROR 79d8f3dc84e0 -- exec: printf %b "Subject: [Fail2Ban] bitwarden: started on vaultwarden.us-west1-c.c.main-depot-401221.internal
Date: LC_ALL=C date +"%a, %d %h %Y %T %z"
From: Fail2Ban -----@gmail.com
To: -----@gmail.com\n
Hi,\n
The jail bitwarden has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f "-----@gmail.com" "-----@gmail.com"
2023-10-24 11:29:27,161 fail2ban.utils [1]: ERROR 79d8f3dc84e0 -- stderr: 'sendmail: Cannot open smtp.gmail.com:465'
2023-10-24 11:29:27,161 fail2ban.utils [1]: ERROR 79d8f3dc84e0 -- returned 1
2023-10-24 11:29:27,161 fail2ban.actions [1]: ERROR Failed to start jail 'bitwarden' action 'sendmail-whois-lines': Error starting action Jail('bitwarden')/sendmail-whois-lines: 'Script error'

I'm using the following SMTP configuration in .env (only displaying the most relevant parameters:
SMTP_PORT=465
SMTP_USERNAME=-----@gmail.com
SMTP_PASSWORD=--------------
SMTP_SECURITY=force_tls

For fail2ban, YES or NO

SMTP_TLS=YES

Answer 1 · 2023-11-06T23:55:03.000Z

The docker-compose.yml entry for fail2ban has hard-coded SSMTP_STARTTLS=YES in its environment, that might have to be NO in your case, but I'm not sure.

Answer 2 · 2023-11-07T10:06:00.000Z

@altafkassam Can you try setting SMTP_TLS=NO? Do your other emails (with the same settings/server) work, such as backup?

Answer 3 · 2023-11-07T12:55:26.000Z

I see now an issue, fixed in #79. Not really a fix for you @altafkassam, but might make it easier to understand the SMTP settings.

Answer 4 · 2023-11-07T17:00:01.000Z

Setting SMTP_TLS=NO did not resolve my issue. I get the same type of error after modifying .env and running docker-compose up:

2023-11-07 08:56:27,463 fail2ban.utils [1]: ERROR 7e43b016c4e0 -- stderr: 'sendmail: Cannot open smtp.gmail.com:465'
2023-11-07 08:56:27,463 fail2ban.utils [1]: ERROR 7e43b016c4e0 -- returned 1
2023-11-07 08:56:27,463 fail2ban.actions [1]: ERROR Failed to start jail 'bitwarden' action 'sendmail-whois-lines': Error starting action Jail('bitwarden')/sendmail-whois-lines: 'Script error'

Answer 5 · 2023-11-07T18:08:01.000Z

I tried changing the SMTP port to 587 and leaving SMTP_TLS=YES and got fail2ban to send me emails. However, now bit warden throws the following error when it attempts to send email:

[2023-11-07 10:00:48.610][vaultwarden::mail][ERROR] SMTP error: Connection error: Connection error: error:0A00010B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:354:
[2023-11-07 10:00:48.615][vaultwarden::api::identity][ERROR] Error sending new device email: SMTP error: Connection error: Connection error: error:0A00010B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:354:

my .env config is:

SMTP_HOST=smtp.gmail.com
SMTP_FROM=------@gmail.com
SMTP_FROM_NAME=BitWarden_Local
SMTP_PORT=587
SMTP_USERNAME=-----@gmail.com
SMTP_PASSWORD=**********
SMTP_SECURITY=force_tls
# For fail2ban, YES or NO
SMTP_TLS=YES

Answer 6 · 2023-11-07T18:21:16.000Z

I solved the issue. If you set BitWarden SMTP settings using the guidance in https://github.com/dani-garcia/vaultwarden/wiki/SMTP-Configuration and select SMTP_PORT=465 and SMTP_SECURITY=force_tls, fail2ban will fail to send emails whether you set SMTP_TLS=YES or SMTP_TLS=NO

My solution was to configure SMTP via Google/Gmail like this:
SMTP_HOST=smtp.gmail.com
SMTP_FROM=<mail-address>
SMTP_FROM_NAME=BitWarden_Local
SMTP_PORT=587
SMTP_USERNAME=<mail-address>
SMTP_PASSWORD=<less-secure-app-password>
SMTP_SECURITY=starttls
# For fail2ban, YES or NO
SMTP_TLS=YES

Answer 7 · 2023-11-07T19:48:49.000Z

As I understand it, force_tls can be more secure than starttls, maybe that's why they recommend it? But my SMTP provider didn't like force_tls. The SMTP_STARTTLS was pulled out of docker-compose.yml, where it never should have been, and put in .env.template. If you git pull and get a new docker-compose.yml from the repo, you might need to update your .env from the current .env.template.

Regardless, I'm glad to hear it's working.