I have fail2ban setup and working on my system. In /etc/fail2ban/jail.local, I have the following for my destination email:
destemail = [email protected]
Yet, looking through my /var/log/mail.log file, I keep seeing:
Jul 23 21:19:04 picus sendmail[21205]: x6O1J489021205: from=fail2ban, size=210, class=0, nrcpts=1, msgid=<[email protected]>, relay=root@localhost
Jul 23 21:19:04 picus sm-mta[21207]: x6O1J4vh021207: from=<[email protected]>, size=461, class=0, nrcpts=1, msgid=<[email protected]>, proto=ESMTP, daemon=MTA-v4, relay=localhost [127.0.0.1]
Jul 23 21:19:04 picus sendmail[21205]: x6O1J489021205: to=root, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30210, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (x6O1J4vh021207 Message accepted for delivery)
Jul 23 21:19:04 picus sm-mta[21208]: x6O1J4vh021207: to=linode, ctladdr=<[email protected]> (8/0), delay=00:00:00, mailer=local, pri=120461, dsn=5.1.1, stat=User unknown
Jul 23 21:19:04 picus sm-mta[21208]: x6O1J4vh021207: to=<[email protected]>, delay=00:00:00, mailer=local, pri=30680, dsn=5.1.1, stat=User unknown
Jul 23 21:19:04 picus sm-mta[21208]: x6O1J4vh021207: to=linode, ctladdr=root (8/0), delay=00:00:00, mailer=local, pri=30680, dsn=5.1.1, stat=User unknown
Jul 23 21:19:04 picus sm-mta[21208]: x6O1J4vh021207: x6O1J4vh021208: postmaster notify: User unknown
Jul 23 21:19:04 picus sm-mta[21208]: x6O1J4vh021208: to=linode, ctladdr=root (8/0), delay=00:00:00, mailer=local, pri=0, dsn=5.1.1, stat=User unknown
Jul 23 21:19:04 picus sm-mta[21208]: x6O1J4vh021208: to=linode, ctladdr=root (8/0), delay=00:00:00, mailer=local, pri=0, dsn=5.1.1, stat=User unknown
Jul 23 21:19:04 picus sm-mta[21208]: x6O1J4vh021208: x6O1J4vi021208: return to sender: User unknown
Jul 23 21:19:04 picus sm-mta[21208]: x6O1J4vi021208: to=linode, ctladdr=root (8/0), delay=00:00:00, mailer=local, pri=0, dsn=5.1.1, stat=User unknown
Jul 23 21:19:04 picus sm-mta[21208]: x6O1J4vh021208: Saved message in /var/lib/sendmail/dead.letter
It keeps trying to send it to the root account on my machine rather than my email address. Am I missing some configuration option somewhere?
EDIT: after a bit of tinkering, I've been able to somewhat correct the problem. I changed:
dest = root
to
dest = [email protected]
in /etc/fail2ban/action.d/mail.conf. With that change, I'm now receiving emails that pertain to my ssh/ssh-ddos jails. However, I'm still not receiving emails from my recidive jail. Looking at /etc/fail2ban/jail.local, I see that it invokes something that collates/formats various WHOIS data for banned accounts in that particular jail.
More digging in the various configuration files led me to /etc/fail2ban/action.d/sendmail-common.conf which, like the other various configuration files I looked at, has dest = root.
Now, I could tweak these various configuration files to all use my email address as the destination, but I'm getting the feeling that's more or less the equivalent of hammering a round peg into a square hole. Is there a better way to force fail2ban to just default to using my email as the destination address? Is there a potential configuration problem with my sendmail installation (I can receive emails from OSSEC and my web app with no issue)?
I have the exact same problem on my Debian 10 server. That one is a nasty one as it doesn't really give error messages where you could track it down as there is no real error...
Up there Michael Hampton was giving the right hint. Thank you.
SOLUTION:
Set your 2 emails in every rule where you use it, then it suddenly worked.
Like so:
It turns out that although I had it in the default declarations , invisibly it didn't get accepted... without giving an error... some random formatting error like an empty line or a comment or so....