Iphone version 26.2 - MailApp triggers crowdsecurity/postfix-non-smtp-command

[anothermouse]

What happened?

Attempting to add an Dovecot IMAP/Postfix account caused crowdsec to ban the IP following the default postfix-non-smtp-command as defined at https://app.crowdsec.net/hub/author/crowdsecurity/scenarios/postfix-non-smtp-command This is obviously the intended action, BUT with an IPhone running iOS version 26.2 - MailApp, this causes the IP associated with the IPhone to be banned.

What did you expect to happen?

Whilst this is exactly what the configuration SHOULD do, it is not the desired action. Additionally, the adding of the account process fails. The desired action is that the IPhone should continue to complete the connections, not be banned, and complete the process of adding the mail account to the application.

How can we reproduce it (as minimally and precisely as possible)?

Postfix/Dovecot server, and attempting to add a valid account to an IPhone using the standard mail app.

Anything else we need to know?

Changing the default configuration file https://app.crowdsec.net/hub/author/crowdsecurity/scenarios/postfix-non-smtp-command to set the blackhole: 5m (rather than the default 1m) allows this to work. Obviously this is a workaround which reduces the sensitivity of the test. Somone else may which to chase up whatever non-standard process is triggering this. This bug/information is reported in the hope that other people may manage to keep their hair for longer! This should probably be labelled an iOS 'bug'?...but ......even if this issue is just archived, it'll probably help someone else at some point

Crowdsec version

Details

cscli version
version: v1.7.4-debian-pragmatic-amd64-469b374e
Codename: alphaga
BuildDate: 2025-12-04_15:31:39
GoVersion: 1.25.3
Platform: linux
libre2: C++
User-Agent: crowdsec/v1.7.4-debian-pragmatic-amd64-469b374e-linux
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog, db_mysql, db_postgres, db_sqlite

OS version

Details

# On Linux:
$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

$ uname -a
Linux 6.1.0-13-amd64 crowdsecurity/crowdsec#1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64 GNU/Linux

# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

Enabled collections and parsers

Details

$  cscli hub list -o raw
crowdsecurity/postfix is tainted by scenarios:crowdsecurity/postfix-non-smtp-command
Loaded: 160 parsers, 11 postoverflows, 773 scenarios, 9 contexts, 5 appsec-configs, 176 appsec-rules, 159 collections
Unmanaged items: 1 local, 2 tainted
name,status,version,description,type
crowdsecurity/apache2-logs,enabled,1.5,Parse Apache2 access and error logs,parsers
crowdsecurity/dateparse-enrich,enabled,0.2,,parsers
crowdsecurity/docker-logs,enabled,0.1,docker json logs parser,parsers
crowdsecurity/geoip-enrich,enabled,0.5,"Populate event with geoloc info : as, country, coords, source range.",parsers
crowdsecurity/haproxy-logs,enabled,0.8,Parse haproxy http logs,parsers
crowdsecurity/http-logs,enabled,1.3,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers
crowdsecurity/modsecurity,enabled,1.3,A parser for modsecurity WAF,parsers
crowdsecurity/postfix-logs,enabled,0.9,Parse postfix logs,parsers
crowdsecurity/postscreen-logs,enabled,0.3,Parse postscreen logs,parsers
crowdsecurity/public-dns-allowlist,enabled,0.1,Allow events from public DNS servers,parsers
crowdsecurity/sshd-logs,enabled,3.1,Parse openSSH logs,parsers
crowdsecurity/sshd-success-logs,enabled,0.1,Parse successful ssh logins,parsers
crowdsecurity/syslog-logs,enabled,1.0,,parsers
crowdsecurity/whitelists,enabled,0.3,Whitelist events from private ipv4 addresses,parsers
mywhitelists,"enabled,local",,,parsers
crowdsecurity/cdn-whitelist,enabled,0.4,Whitelist CDN providers,postoverflows
crowdsecurity/rdns,enabled,0.3,Lookup the DNS associated to the source IP only for overflows,postoverflows
crowdsecurity/seo-bots-whitelist,enabled,0.5,Whitelist good search engine crawlers,postoverflows
crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.7,Detect cve-2021-44228 exploitation attempts,scenarios
crowdsecurity/CVE-2017-9841,enabled,0.2,Detect CVE-2017-9841 exploits,scenarios
crowdsecurity/CVE-2019-18935,enabled,0.2,Detect Telerik CVE-2019-18935 exploitation attempts,scenarios
crowdsecurity/CVE-2022-26134,enabled,0.4,Confluence - RCE (CVE-2022-26134),scenarios
crowdsecurity/CVE-2022-35914,enabled,0.2,Detect CVE-2022-35914 exploits,scenarios
crowdsecurity/CVE-2022-37042,enabled,0.2,Detect CVE-2022-37042 exploits,scenarios
crowdsecurity/CVE-2022-40684,enabled,0.3,Detect cve-2022-40684 exploitation attempts,scenarios
crowdsecurity/CVE-2022-41082,enabled,0.4,Detect CVE-2022-41082 exploits,scenarios
crowdsecurity/CVE-2022-41697,enabled,0.2,Detect CVE-2022-41697 enumeration,scenarios
crowdsecurity/CVE-2022-42889,enabled,0.3,Detect CVE-2022-42889 exploits (Text4Shell),scenarios
crowdsecurity/CVE-2022-44877,enabled,0.3,Detect CVE-2022-44877 exploits,scenarios
crowdsecurity/CVE-2022-46169,enabled,0.2,Detect CVE-2022-46169 brute forcing,scenarios
crowdsecurity/CVE-2023-22515,enabled,0.1,Detect CVE-2023-22515 exploitation,scenarios
crowdsecurity/CVE-2023-22518,enabled,0.3,Detect CVE-2023-22518 exploits,scenarios
crowdsecurity/CVE-2023-49103,enabled,0.3,Detect owncloud CVE-2023-49103 exploitation attempts,scenarios
crowdsecurity/CVE-2024-0012,enabled,0.1,Detect CVE-2024-0012 exploitation attempts,scenarios
crowdsecurity/CVE-2024-38475,enabled,0.1,Detect CVE-2024-38475 exploitation attempts,scenarios
crowdsecurity/CVE-2024-9474,enabled,0.1,Detect CVE-2024-9474 exploitation attempts,scenarios
crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.3,F5 BIG-IP TMUI - RCE (CVE-2020-5902),scenarios
crowdsecurity/fortinet-cve-2018-13379,enabled,0.4,Detect cve-2018-13379 exploitation attempts,scenarios
crowdsecurity/grafana-cve-2021-43798,enabled,0.3,Grafana - Arbitrary File Read (CVE-2021-43798),scenarios
crowdsecurity/http-admin-interface-probing,enabled,0.5,Detect generic HTTP admin interface probing,scenarios
crowdsecurity/http-backdoors-attempts,enabled,0.6,Detect attempt to common backdoors,scenarios
crowdsecurity/http-bad-user-agent,enabled,1.2,Detect usage of bad User Agent,scenarios
crowdsecurity/http-crawl-non_statics,enabled,0.7,Detect aggressive crawl on non static resources,scenarios
crowdsecurity/http-cve-2021-41773,enabled,0.3,Apache - Path Traversal (CVE-2021-41773),scenarios
crowdsecurity/http-cve-2021-42013,enabled,0.3,Apache - Path Traversal (CVE-2021-42013),scenarios
crowdsecurity/http-cve-probing,enabled,0.6,Detect generic HTTP cve probing,scenarios
crowdsecurity/http-generic-bf,enabled,0.9,Detect generic http brute force,scenarios
crowdsecurity/http-generic-test,enabled,0.2,Crowdsec Generic Test Scenario: basic HTTP trigger,scenarios
crowdsecurity/http-open-proxy,enabled,0.5,Detect scan for open proxy,scenarios
crowdsecurity/http-path-traversal-probing,enabled,0.4,Detect path traversal attempt,scenarios
crowdsecurity/http-probing,enabled,0.4,Detect site scanning/probing from a single ip,scenarios
crowdsecurity/http-sap-interface-probing,enabled,0.1,Detect generic HTTP SAP interface probing,scenarios
crowdsecurity/http-sensitive-files,enabled,0.4,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios
crowdsecurity/http-sqli-probing,enabled,0.4,A scenario that detects SQL injection probing with minimal false positives,scenarios
crowdsecurity/http-wordpress-scan,enabled,0.4,Detect exploitation attempts against common WordPress endpoints,scenarios
crowdsecurity/http-xss-probing,enabled,0.4,A scenario that detects XSS probing with minimal false positives,scenarios
crowdsecurity/jira_cve-2021-26086,enabled,0.4,Detect Atlassian Jira CVE-2021-26086 exploitation attempts,scenarios
crowdsecurity/modsecurity,enabled,0.6,Web exploitation via modsecurity,scenarios
crowdsecurity/netgear_rce,enabled,0.4,Detect Netgear RCE DGN1000/DGN220 exploitation attempts,scenarios
crowdsecurity/postfix-helo-rejected,enabled,0.1,Detect HELO rejections,scenarios
crowdsecurity/postfix-non-smtp-command,"enabled,tainted",?,Detect scanning of postfix service through non-SMTP commands,scenarios
crowdsecurity/postfix-relay-denied,enabled,0.1,Detect multiple open relay attempts,scenarios
crowdsecurity/postfix-spam,enabled,0.4,Detect spammers,scenarios
crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.4,Detect cve-2019-11510 exploitation attempts,scenarios
crowdsecurity/spring4shell_cve-2022-22965,enabled,0.3,Detect cve-2022-22965 probing,scenarios
crowdsecurity/ssh-bf,enabled,0.3,Detect ssh bruteforce,scenarios
crowdsecurity/ssh-cve-2024-6387,enabled,0.2,Detect exploitation attempt of CVE-2024-6387,scenarios
crowdsecurity/ssh-generic-test,enabled,0.2,Crowdsec Generic Test Scenario: SSH brute force trigger,scenarios
crowdsecurity/ssh-refused-conn,enabled,0.1,Detect sshd refused connections,scenarios
crowdsecurity/ssh-slow-bf,enabled,0.4,Detect slow ssh bruteforce,scenarios
crowdsecurity/ssh-time-based-bf,enabled,0.2,Detect time-based ssh bruteforce attempts that evade rate limiting (with false positive reduction),scenarios
crowdsecurity/thinkphp-cve-2018-20062,enabled,0.7,Detect ThinkPHP CVE-2018-20062 exploitation attempts,scenarios
crowdsecurity/vmware-cve-2022-22954,enabled,0.3,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios
crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.3,Detect VMSA-2021-0027 exploitation attempts,scenarios
ltsich/http-w00tw00t,enabled,0.3,detect w00tw00t,scenarios
crowdsecurity/bf_base,enabled,0.1,,contexts
crowdsecurity/http_base,enabled,0.3,,contexts
crowdsecurity/apache2,enabled,0.1,apache2 support : parser and generic http scenarios,collections
crowdsecurity/base-http-scenarios,enabled,1.2,http common : scanners detection,collections
crowdsecurity/haproxy,enabled,0.1,haproxy support : parser and generic http scenarios,collections
crowdsecurity/http-cve,enabled,2.9,Detect CVE exploitation in http logs,collections
crowdsecurity/linux,enabled,0.3,core linux support : syslog+geoip+ssh,collections
crowdsecurity/modsecurity,enabled,0.1,modsecurity support : modsecurity parser and scenario,collections
crowdsecurity/postfix,"enabled,tainted",0.4,postfix support : parser and spammer detection,collections
crowdsecurity/sshd,enabled,0.8,sshd support : parser and brute-force detection,collections
crowdsecurity/whitelist-good-actors,enabled,0.2,Good actors whitelists,collections

Acquisition config

Details

# On Linux:
$ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/*
# paste output here

# On Windows:
C:\> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml
# paste output here

Config show

Details

$ cscli config show
# paste output here

Prometheus metrics

Details

$ cscli metrics
# paste output here

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

Details

[github-actions]

@anothermouse: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[LaurenceJJones]

Changing the default configuration file app.crowdsec.net/hub/author/crowdsecurity/scenarios/postfix-non-smtp-command to set the blackhole: 5m (rather than the default 1m) allows this to work.

Well changing the blackhole has literally no effect on the detection mechanism so it wouldnt resolve the issue. (probably you got blocked, you remove the decision, blackhole is in effect for X minutes after removal but still will trigger again at some point in the onboarding of a user)

Maybe if you can provide the smtp logs from your mail server (PII redacted of course) we could actually see what is triggering and provide a suitable workaround.

[anothermouse]

I'll look into that. We have repeatedly got it to ban the IP address. Changing the value allowed it to add the account as expected. The IPhone produced an SSL certificate error before hanging. This is an extract log that triggered the problem:

2026-01-23T13:18:38.946122+00:00 mail01-***** postfix/smtpd[2403408]: connect from cpc91242-cmbg18-2-0-cust1183.5-4.cable.virginm.net[82.8.132.160]
2026-01-23T13:18:38.946383+00:00 mail01-***** postfix/smtpd[2403408]: connect from cpc91242-cmbg18-2-0-cust1183.5-4.cable.virginm.net[82.8.132.160]
2026-01-23T13:18:38.948225+00:00 mail01-***** postfix/smtpd[2403408]: improper command pipelining after CONNECT from cpc91242-cmbg18-2-0-cust1183.5-4.cable.virginm.net[82.8.132.160]: \026\003\001\005\360\001\000\005\354\003\003\225\344\356\230\033\214\222\n\341\177\030J\362\205_'\000\334T\262\262|&\277\033\245\265t\301\264(H \177\205\350j\213\216\272\217\340\303N\211\231\177\022t_\327\220\2415\3236\245\3045Q\255X\222\232_\000*\232\232\023\002\023\003\023\001\300,\300+\314\251\3000\300/\314\250\300\n
2026-01-23T13:18:38.949468+00:00 mail01-***** postfix/smtpd[2403408]: warning: non-SMTP command from cpc91242-cmbg18-2-0-cust1183.5-4.cable.virginm.net[82.8.132.160]: \026\003\001\005\360\001\000\005\354\003\003\225\344\356\230\033\214\222
2026-01-23T13:18:38.950825+00:00 mail01-***** postfix/smtpd[2403408]: disconnect from cpc91242-cmbg18-2-0-cust1183.5-4.cable.virginm.net[82.8.132.160] unknown=0/1 commands=0/1
2026-01-23T13:18:38.948192+00:00 mail01-***** postfix/smtpd[2403408]: improper command pipelining after CONNECT from cpc91242-cmbg18-2-0-cust1183.5-4.cable.virginm.net[82.8.132.160]: \026\003\001\005\360\001\000\005\354\003\003\225\344\356\230\033\214\222\n\341\177\030J\362\205_'\000\334T\262\262|&\277\033\245\265t\301\264(H \177\205\350j\213\216\272\217\340\303N\211\231\177\022t_\327\220\2415\3236\245\3045Q\255X\222\232_\000*\232\232\023\002\023\003\023\001\300,\300+\314\251\3000\300/\314\250\300\n
2026-01-23T13:18:38.949424+00:00 mail01-***** postfix/smtpd[2403408]: warning: non-SMTP command from cpc91242-cmbg18-2-0-cust1183.5-4.cable.virginm.net[82.8.132.160]: \026\003\001\005\360\001\000\005\354\003\003\225\344\356\230\033\214\222
2026-01-23T13:18:38.950790+00:00 mail01-***** postfix/smtpd[2403408]: disconnect from cpc91242-cmbg18-2-0-cust1183.5-4.cable.virginm.net[82.8.132.160] unknown=0/1 commands=0/1
2026-01-23T13:19:47.117540+00:00 mail01-***** postfix/smtpd[2403408]: connect from cpc91242-cmbg18-2-0-cust1183.5-4.cable.virginm.net[82.8.132.160]
2026-01-23T13:19:47.117251+00:00 mail01-***** postfix/smtpd[2403408]: connect from cpc91242-cmbg18-2-0-cust1183.5-4.cable.virginm.net[82.8.132.160]
2026-01-23T13:19:47.728897+00:00 mail01-***** postfix/smtpd[2403408]: disconnect from cpc91242-cmbg18-2-0-cust1183.5-4.cable.virginm.net[82.8.132.160] ehlo=2 starttls=1 auth=1 quit=1

This relates to an attempt to add a valid account to the Mail App on an iPhone. Everything works perfectly well when adding the account using Thunderbird etc. Let me know if you need further diagnostics.

[anothermouse]

Have just retested with the blackhole changed to 5m, and you're absolutely right, it now retriggers the ban in exactly the same way. It merely gave me enough time to add the iPhone before it was being triggered on again. My next proposed (nuclear option) 'workaround' is:

sudo cscli scenarios remove crowdsecurity/postfix-non-smtp-command
sudo systemctl reload crowdsec

...but that's kind of like admitting defeat!

[LaurenceJJones]

Well the “command” are a TLS ClientHello. Postfix is logging them because the client connected to your plain SMTP service and immediately started speaking TLS instead of waiting for the SMTP banner and issuing EHLO / STARTTLS commands.

which ports / tls setting are on postfix that the client are connecting too unless this is just an absurd gimmick of iphone mail app

[anothermouse]

Ports are the standard 25 and 587.

Port 587 is set: smtpd_tls_security_level = may

(We will be changing that to 'encrypt', and I suspect that will result in a review of any local applications that may be 'just connecting locally using an unencrypted connection'.)

[anothermouse]

Further update from experimentation. If I :

sudo cscli scenarios remove crowdsecurity/postfix-non-smtp-command
sudo systemctl reload crowdsec

then the iPhone will correctly connect and add the account. Once that has occurred, the Mail App successfully sends and receives emails without issues even if the scenario is re-added. Problem is ONLY when adding the new account to iPhone iOS Mail App

I suspect that changing the setting to 'encrypt' may resolve this, but my concern is that an innocent process beyond the user's control can result in a rather drastic response affecting the user.