Messages

1

Web Proxy Filtering and Caching / Re: Hardening a IMAP server behind HAPROXY // fail2ban

« on: September 05, 2024, 01:39:00 am »

Thanks, ha proxy protocol just made it happen! for those who are wondering: dovecot itself (as many other services) is capable of interpreting ha proxy protocol when configured so. proxy protocol can be enabled in the gui, haproxy settings, in the advanced mode settings of the backend pool.

2

Web Proxy Filtering and Caching / Re: Hardening a IMAP server behind HAPROXY // fail2ban

« on: September 04, 2024, 10:58:22 am »

thanks bart for replying. Sure, a webmail client can be used with 2FA, but some of the mail users just want to use their iOS mail app or thunderbird or whatever they feel convenient with, so I will need to expose the imap server for them (dovecot in my setup).

Is there a way to forward the client ipv4 to the imap server so fail2ban can be used? Or even better to filter suspicious traffic on opnsense-level?

3

Web Proxy Filtering and Caching / Hardening a IMAP server behind HAPROXY // fail2ban

« on: September 04, 2024, 01:43:11 am »

Hello, I'm new to opnsense, maybe someone is able to help with this:

I'm hosting a IMAP Server in a VLAN, reverse proxied by opnsense haproxy plugin. SSL is offloaded by haproxy, the proxying takes place in TCP mode (layer4), public service is configured to listen on port 993 and routing all traffic to a default backend, as this is the only server for connections on 993.
Now I want to prevent bruteforce attacks on the imap server, using e.g. fail2ban to block malicious traffic. How would I best achieve this, when the imap server just sees the internal ip adress of the proxy instead of client IP?

Thanks for any help!