[SOLVED] zimbraHttpThrottleSafeIPs and proxy

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
axslingr
Advanced member
Advanced member
Posts: 170
Joined: Sat Sep 13, 2014 2:20 am
ZCS/ZD Version: Release 8.8.11.GA.3737.UBUNTU16.64

[SOLVED] zimbraHttpThrottleSafeIPs and proxy

Postby axslingr » Wed Jan 03, 2018 11:08 pm

Hey guys, I'm having an issue where my users are getting the 'network service error' periodically due to authentication failures against the web client. The problem is that the ip address of the proxy server in front of the mailbox server is the ip that's getting suspended:

Code: Select all

2018-01-03 16:26:23,835 INFO  [qtp1595953398-1805:http://localhost:8080/service/soap/AuthRequest] [] misc - Access from IP 192.168.100.11 suspended, for repeated failed login.


192.168.100.11 is the proxy ip. Should I add this ip to the safe list or no? If no, what is the best way to get around this? I keep having to restart the mailbox service as a workaround.

Thanks!
Lance

Release 8.8.5.GA.1894.UBUNTU14.64 UBUNTU14_64 FOSS edition.


axslingr
Advanced member
Advanced member
Posts: 170
Joined: Sat Sep 13, 2014 2:20 am
ZCS/ZD Version: Release 8.8.11.GA.3737.UBUNTU16.64

Re: zimbraHttpThrottleSafeIPs and proxy

Postby axslingr » Thu Jan 04, 2018 12:49 am

I think I may have stumbled onto the answer:

https://wiki.zimbra.com/wiki/Log_Files# ... inating_IP

i've added my proxy ip to zimbraMailTrustedIP and restarted mailbox service. zimbra_http_originating_ip_header = X-Forwarded-For was already set.

Will post back results.

Lance
axslingr
Advanced member
Advanced member
Posts: 170
Joined: Sat Sep 13, 2014 2:20 am
ZCS/ZD Version: Release 8.8.11.GA.3737.UBUNTU16.64

Re: zimbraHttpThrottleSafeIPs and proxy

Postby axslingr » Fri Jan 05, 2018 12:21 pm

Well, as luck would have it, I haven't had any other break-in attempts yet. Still waiting...

Lance
axslingr
Advanced member
Advanced member
Posts: 170
Joined: Sat Sep 13, 2014 2:20 am
ZCS/ZD Version: Release 8.8.11.GA.3737.UBUNTU16.64

Re: zimbraHttpThrottleSafeIPs and proxy

Postby axslingr » Tue Jan 09, 2018 12:05 pm

Finally got some break-in attempts and following the wiki link above worked.

Lance
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2027
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.12 Network Edition
Contact:

Re: zimbraHttpThrottleSafeIPs and proxy

Postby L. Mark Stone » Tue Jan 09, 2018 1:56 pm

axslingr wrote:Finally got some break-in attempts and following the wiki link above worked.

Lance


Good to hear! For others who may come across this thread, 8.7 and above allows CIDR addressing for safe IP addresses, as documented here:
https://wiki.zimbra.com/wiki/DoSFilter

All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
weblike
Posts: 15
Joined: Sat Sep 13, 2014 3:08 am

Re: [SOLVED] zimbraHttpThrottleSafeIPs and proxy

Postby weblike » Tue Nov 12, 2019 6:53 am

I have added to SafeIPS our internal subnet, 10.7.1.0/24, but this morning I saw in the log that one of internal IP's was blocked:

[qtp1231156911-17143://localhost:8080/service/soap/AuthRequest] [] misc - Access from IP 10.7.1.162 suspended, for repeated failed login.


Does this feature supports subnets?
Thank you
weblike
Posts: 15
Joined: Sat Sep 13, 2014 3:08 am

Re: [SOLVED] zimbraHttpThrottleSafeIPs and proxy

Postby weblike » Wed Nov 13, 2019 12:25 pm

Hello,

It's very strange because when I search the /opt/zimbra/log/mailbox.log with " cat mailbox.log | grep -i "DoSFilter: Configured whitelist IPs" "
I get different IP's than I run this command: zmprov gcf zimbraHttpThrottleSafeIPs

could anyone help on this please?
phoenix
Ambassador
Ambassador
Posts: 26326
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: [SOLVED] zimbraHttpThrottleSafeIPs and proxy

Postby phoenix » Wed Nov 13, 2019 1:30 pm

Why don't you post the zmprov output for all the attributes mentioned in the wiki article and some of the log file entries that show an 'incorrect ip' that you've mentioned in your post.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
weblike
Posts: 15
Joined: Sat Sep 13, 2014 3:08 am

Re: [SOLVED] zimbraHttpThrottleSafeIPs and proxy

Postby weblike » Wed Nov 13, 2019 5:18 pm

This is the output:

Code: Select all

[root@mail log]# cat mailbox.log | grep -i "DoSFilter: Configured whitelist IPs"
2019-11-13 12:46:50,257 INFO  [main] [] misc - DoSFilter: Configured whitelist IPs = 244.222.5.15,192.168.2.1,10.4.1.150,127.0.0.1,::1,0:0:0:0:0:0:0:1
2019-11-13 12:46:50,291 INFO  [main] [] misc - DoSFilter: Configured whitelist IPs = 244.222.5.15,192.168.2.1,10.4.1.150,127.0.0.1,::1,0:0:0:0:0:0:0:1
2019-11-13 12:47:05,625 INFO  [main] [] misc - DoSFilter: Configured whitelist IPs = 244.222.5.15,192.168.2.1,10.4.1.150,127.0.0.1,::1,0:0:0:0:0:0:0:1
2019-11-13 12:47:09,358 INFO  [main] [] misc - DoSFilter: Configured whitelist IPs = 244.222.5.15,192.168.2.1,10.4.1.150,127.0.0.1,::1,0:0:0:0:0:0:0:1
[root@mail log]# su zimbra
[zimbra@mail log]$ zmprov gcf zimbraHttpThrottleSafeIPs
zimbraHttpThrottleSafeIPs: 10.4.1.0/24
zimbraHttpThrottleSafeIPs: 244.222.5.5
zimbraHttpThrottleSafeIPs: 244.222.5.6
zimbraHttpThrottleSafeIPs: 192.168.2.1
zimbraHttpThrottleSafeIPs: 244.222.31.94
zimbraHttpThrottleSafeIPs: 10.5.1.0/24
[zimbra@mail log]$



I have declared the IP's from zmprov command, but cannot recognize those from output of "cat mailbox.log | grep -i "DoSFilter: Configured whitelist IPs""

Where is the error?In my brain? :)
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2027
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.12 Network Edition
Contact:

Re: [SOLVED] zimbraHttpThrottleSafeIPs and proxy

Postby L. Mark Stone » Wed Nov 13, 2019 8:37 pm

Please post the output from the following command:

Code: Select all

zmprov gs `zmhostname` zimbraHttpThrottleSafeIPs


It's possible zimbraHttpThrottleSafeIPs has been set explicitly at the server level; doing so overrides what is set at the global level (breaking inheritance).

Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 6 guests