#99 Limit Failed AUTH attempts?


I searched and didn't see an existing Feature Request for this, but may have missed something...

Is it feasible/possible to add a function in postfixadmin that would temporarily lock out a user account after a configured number of AUTH attempt failures within a specifid time period?

For example, consider a hack attempt on a specific users account - I'd like to be able to lock out a users account for, say, 5 minutes, after 3 failed AUTH attempts. So, after 3 failed attempts (bad password, any attempt to log in to that users account gets a TEMPFAIL for 5 minutes, then it will allow up to 3 more tries.

Even better would be a way to lock it out permanently after 3 failed cycles on the same day.

Anyway, not sure this is doable in postfixadmin, but it sure would add a large extra layer of security.

Or... does anyone know if this is possible with fail2ban already?


  • Christian Boltz

    Christian Boltz - 2011-09-25
    • status: open --> closed-wont-fix
  • Christian Boltz

    Christian Boltz - 2011-09-25

    This is nothing that can be implemented in PostfixAdmin AFAIK, but it should be possible with fail2ban.

    Basically you need to scan the mail log for authentification failures, filter out the username (or IP) and configure fail2ban to act based on this. The easiest way is probably to block the IP, but AFAIK fail2ban can run any script - for example, you could write a small script that disables the login for the user under attack by setting a flag in the database.

  • Brady

    Brady - 2016-05-27

    "This is nothing that can be implemented in PostfixAdmin AFAIK"

    First, you do not have anything I see re: auth logging. This can easily be accomplished. What you say is simply not true nor will ever be true. Since it's a web frontend and does it's own authentication at login it should have an auth log somewhere (or option/debug).

    you need to scan the mail log

    Second, since the auth hits the database via apache/webserver (not via Postfix/etc) this is NOT logged in general mail.log or syslog. (At least under virtual DB mail and the Ubuntu 14.04 I am using).

    My quick/dirty fix so I could use fail2ban:
    Edit postfixadmin/login.php (starting @ line 63 or so under Postfix Admin v2.3.8) :

            if ($result['rows'] != 1)
                $error = 1;
                $tMessage = '<span class="error_msg">' . $PALANG['pLogin_failed'] . '</span>';
    //Add line here:
                error_log('BAD LOGIN ATTEMPT, username "' . $fUsername . '", password "' . $fPassword . '"');
            $error = 1;
            $tMessage = '<span class="error_msg">' . $PALANG['pLogin_failed'] . '</span>';
    //Add same line here:
            error_log('BAD LOGIN ATTEMPT, username "' . $fUsername . '", password "' . $fPassword . '"');

    so two lines added to admin login.
    Then edit postfixadmin/users/login.php (shows start at line 63 or so) :

       else {
             $error = 1;
             $tMessage = '<span class="error_msg">' . $PALANG['pLogin_failed'] . '</span>';
    //Add this line
             error_log('BAD LOGIN ATTEMPT, username "' . $fUsername . '", password "' . $fPassword . '"');
             $tUsername = $fUsername;
       include ("../templates/header.php");

    A bad auth simply gets logged to /var/log/apache2/error.log now using php error_log method..

    Now FAIL2BAN :
    Create filter for fail2ban:

    sudo nano /etc/fail2ban/filter.d/postfixadmin.conf

    and add this:

    before = common.conf
    after  = postfixadmin.local
    failregex = \[client <HOST>(:\d{1,5})?\].*BAD LOGIN ATTEMPT
    ignoreregex =
    # Author: Brady Shea - after customizing postfixadmin/login.php to log to apache2 error.log

    ADD LINES TO jail.local or jail.conf:

    enabled  = true
    port     = http,https
    filter   = postfixadmin
    logpath  = /var/log/apache2/error.log
    findtime = 60
    maxretry = 3
    bantime  = 120


    sudo service fail2ban restart

    Your apache generic error.log should now start showing things like:

    [Fri May 27 12:24:23.858680 2016] [:error] [pid 12927] [client] BAD LOGIN ATTEMPT, username "sdsd@dfdf.com", password "ss", referer: https://mail.somewhere.tld/postfixadmin/login.php

    Hope this helps someone. Works fine - tested over some weeks now.

    -B Shea

    Last edit: Brady 2016-05-27
  • Brady

    Brady - 2016-05-27

    Obviously, the above would be better served with it's own config option and/or debug setting and it's own called method. Not exactly DRY. This was just quick fix to get fail2ban working on auth..

    Last edit: Brady 2016-05-27
  • Christian Boltz

    Christian Boltz - 2016-05-27

    Looks like I misunderstood the initial request as request to check for failed POP3/IMAP/SMTP Auth logins instead of checking for failed login attemps to PostfixAdmin. Sorry for that.

    PostfixAdmin error_log()s failed logins sinceSVN r1600 (2013-12-08), so if you use any of the 2.9x releases, your error_log will already contain something like "PostfixAdmin login failed (username: $whatever)". It should be easy to add a fail2ban rule for this.

    BTW: I'd recommend not to log any passwords, not even wrong passwords. You'll end up with having nearly-correct mistyped passwords in the log, which makes finding out the real password quite easy.

  • Brady

    Brady - 2016-05-31

    No problem & thanks for reply. You are absolutely right about passwords. I should have mentioned that - but still think it should be a logging option with a BIG warning by it. And thanks for heads up re: SVN releases/2.9x+.. good deal..


Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks