merge: resolve conflicts, keep new IMAP self-ban article

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

05-troubleshooting/index.md

@@ -7,6 +7,7 @@ Practical fixes for common Linux, networking, and application problems.
 
 ## 🌐 Networking & Web
 - [Apache Outage: Fail2ban Self-Ban + Missing iptables Rules](networking/fail2ban-self-ban-apache-outage.md)
+- [Mail Client Stops Receiving: Fail2ban IMAP Self-Ban](networking/fail2ban-imap-self-ban-mail-client.md)
 - [ISP SNI Filtering & Caddy](isp-sni-filtering-caddy.md)
 - [yt-dlp YouTube JS Challenge Fix](yt-dlp-fedora-js-challenge.md)
 

05-troubleshooting/networking/fail2ban-imap-self-ban-mail-client.md

@@ -0,0 +1,119 @@
+# Mail Client Stops Receiving: Fail2ban IMAP Self-Ban
+
+## 🛑 Problem
+
+A mail client stops receiving new email on one device while other devices (e.g., phone on cellular) continue to work normally. The mail server is healthy — Postfix is delivering to maildir and Dovecot is running — but the affected device receives no new messages and is never prompted for credentials.
+
+---
+
+## 🔍 Diagnosis
+
+### Step 1 — Confirm the mail server is delivering
+
+```bash
+ssh root@<mailserver> "tail -20 /var/log/maillog | grep 'status=sent'"
+```
+
+If you see `status=sent (delivered to maildir)`, the server is working. The issue is on the client side.
+
+---
+
+### Step 2 — Check if the client is connecting at all
+
+```bash
+ssh root@<mailserver> "grep '<client_ip>' /var/log/maillog | tail -10"
+```
+
+If there are **zero results**, the client is not reaching the server at all — not a credentials or sync issue.
+
+---
+
+### Step 3 — Get the client's current public IP
+
+Run this on the affected machine:
+
+```bash
+curl -s https://api.ipify.org
+```
+
+---
+
+### Step 4 — Check if that IP is banned by Fail2ban
+
+```bash
+ssh root@<mailserver> "fail2ban-client status postfix-sasl"
+ssh root@<mailserver> "fail2ban-client status dovecot-invalid"
+```
+
+Look for the IP in the `Banned IP list`. If it's there, that's your problem.
+
+---
+
+### Step 5 — Find when the ban was applied
+
+```bash
+ssh root@<mailserver> "grep '<client_ip>' /var/log/fail2ban.log | tail -20"
+```
+
+This shows the exact timestamps of auth failures and the ban event.
+
+---
+
+## ✅ Fix
+
+Unban the IP from all relevant jails:
+
+```bash
+fail2ban-client set postfix-sasl unbanip <IP>
+fail2ban-client set dovecot-invalid unbanip <IP>
+```
+
+Mail should resume immediately without restarting any services.
+
+---
+
+## 🔁 Why This Happens
+
+| Symptom | Cause |
+|---|---|
+| One device stops getting mail, others don't | Each device has a different public IP. Only the banned IP is blocked. |
+| No auth prompt in the mail client | Fail2ban issues a TCP `REJECT` — the client sees a connection error, not an auth failure, so it doesn't prompt for new credentials. It silently retries on a timer. |
+| Multiple failed attempts before ban | The mail client retried with a previously valid session token or stale auth state, triggering the `maxretry` threshold. |
+| Ban on `postfix-sasl` blocks IMAP (port 993) | The `postfix-sasl` jail monitors ports 25, 465, 587, 143, 993, 110, and 995 — not just SMTP. A failed SMTP auth attempt can ban access to IMAP as well. |
+
+---
+
+## ⚠️ Key Notes
+
+- **Fail2ban `postfix-sasl` covers all mail ports** — a single jail can lock out SMTP *and* IMAP simultaneously.
+- **The affected device's IP is never logged in Dovecot** once banned — the rejection happens at the iptables/Fail2ban layer before Dovecot sees the connection.
+- **Tailscale doesn't help** if the mail client connects via the public interface — the ban applies to the public IP, not the Tailscale IP.
+- Check when the ban happened: `grep '<IP>' /var/log/fail2ban.log` shows exact timestamps.
+
+---
+
+## 🔎 Quick Diagnostic Commands
+
+```bash
+# Get your current public IP (run on affected machine)
+curl -s https://api.ipify.org
+
+# Check all Fail2ban jail statuses
+fail2ban-client status
+
+# Check a specific jail for a banned IP
+fail2ban-client status postfix-sasl
+fail2ban-client status dovecot-invalid
+
+# Unban from a specific jail
+fail2ban-client set postfix-sasl unbanip <IP>
+fail2ban-client set dovecot-invalid unbanip <IP>
+
+# Unban from all jails at once
+for jail in $(fail2ban-client status | grep "Jail list" | sed 's/.*://;s/,/ /g'); do
+  fail2ban-client set $jail unbanip <IP> 2>/dev/null && echo "Unbanned from $jail"
+done
+
+# Find when a specific IP was banned
+grep '<IP>' /var/log/fail2ban.log | tail -20
+```

MajorWiki-Deploy-Status.md

@@ -31,7 +31,7 @@ DNS record and Caddy entry have been removed.
 
 ## Content
 
-- 36 articles across 5 domains
+- 37 articles across 5 domains
 - Source of truth: `MajorVault/20-Projects/MajorTwin/08-Wiki/`
 - Deployed via Gitea webhook (push from MajorAir → auto-pull on majorlab)
 
@@ -63,7 +63,7 @@ rsync -av --include="*.md" --include="*/" --exclude="*" \
 
 ---
 
-*Updated 2026-03-13*
+*Updated 2026-03-14*
 
 ## Canonical Update Workflow
 
@@ -91,3 +91,14 @@ Every time a new article is added, the following **MUST** be updated to maintain
 4.  **Root `README.md`**: Sync with the main `index.md` (Article count, domain lists, and Recently Updated).
 
 > [!note] The rsync one-liner in the Update Workflow section above was a one-off during initial setup. It is no longer the canonical method.
+
+---
+
+## Related
+- [[majorlab|majorlab]] — deploy host (port 8092, Caddy reverse proxy, Gitea webhook)
+- [[01-Phases|Implementation Phases]] — Phase 9 (wiki & knowledge base)
+- [[09-Lessons-Learned-v5|Lessons Learned v5]] — ISP SNI filtering on wiki.majorshouse.com (why it's notes.majorshouse.com)
+- [[MajorAir|MajorAir]] — push host for git workflow
+- [[MajorRig|MajorRig]] — alternative git push host (WSL2 path documented)
+- [[03-11-2026|Status Update 2026-03-11]] — deployment date journal entry
+- [[03-13-2026|Status Update 2026-03-13]] — content expansion and SUMMARY.md sync

README.md

@@ -2,8 +2,8 @@
 
 > A growing reference of Linux, self-hosting, open source, streaming, and troubleshooting guides. Written by MajorLinux. Used by MajorTwin.
 >
-**Last updated:** 2026-03-13
-**Article count:** 36
+**Last updated:** 2026-03-14
+**Article count:** 37
 
 ## Domains
 
@@ -13,7 +13,7 @@
 | 🏠 Self-Hosting & Homelab | `02-selfhosting/` | 8 |
 | 🔓 Open Source Tools | `03-opensource/` | 9 |
 | 🎙️ Streaming & Podcasting | `04-streaming/` | 1 |
-| 🔧 General Troubleshooting | `05-troubleshooting/` | 9 |
+| 🔧 General Troubleshooting | `05-troubleshooting/` | 10 |
 
 ---
 
@@ -101,6 +101,7 @@
 ## 🔧 General Troubleshooting
 
 - [Apache Outage: Fail2ban Self-Ban + Missing iptables Rules](05-troubleshooting/networking/fail2ban-self-ban-apache-outage.md) — diagnosing and fixing Apache outages caused by missing firewall rules and Fail2ban self-bans
+- [Mail Client Stops Receiving: Fail2ban IMAP Self-Ban](05-troubleshooting/networking/fail2ban-imap-self-ban-mail-client.md) — diagnosing why one device stops receiving email when the mail server is healthy
 - [Docker & Caddy Recovery After Reboot (Fedora + SELinux)](05-troubleshooting/docker-caddy-selinux-post-reboot-recovery.md) — fixing docker.socket, SELinux port blocks, and httpd_can_network_connect after reboot
 - [ISP SNI Filtering with Caddy](05-troubleshooting/isp-sni-filtering-caddy.md) — troubleshooting why wiki.majorshouse.com was blocked by Google Fiber
 - [Obsidian Cache Hang Recovery](05-troubleshooting/obsidian-cache-hang-recovery.md) — resolving "Loading cache" hang in Obsidian by cleaning Electron app data and ML artifacts
@@ -115,6 +116,7 @@
 
 | Date | Article | Domain |
 |---|---|---|
+| 2026-03-14 | [Mail Client Stops Receiving: Fail2ban IMAP Self-Ban](05-troubleshooting/networking/fail2ban-imap-self-ban-mail-client.md) | Troubleshooting |
 | 2026-03-14 | [SearXNG: Private Self-Hosted Search](03-opensource/alternatives/searxng.md) | Open Source |
 | 2026-03-14 | [FreshRSS: Self-Hosted RSS Reader](03-opensource/alternatives/freshrss.md) | Open Source |
 | 2026-03-14 | [Gitea: Self-Hosted Git](03-opensource/alternatives/gitea.md) | Open Source |
@@ -136,3 +138,10 @@
 | Pi-hole setup and local DNS | Self-Hosting | Medium | No |
 | OBS audio routing on Linux (PipeWire) | Streaming | Medium | No |
 | Nextcloud setup with Docker | Self-Hosting | Medium | No |
+
+---
+
+## Related
+- [[MajorWiki-Deploy-Status|MajorWiki Deploy Status]] — deployment status and git workflow
+- [[01-Phases|Implementation Phases]] — Phase 9 (wiki & knowledge base)
+- [[majorlab|majorlab]] — hosting server

SUMMARY.md

@@ -32,6 +32,7 @@
     * [OBS Studio Setup & Encoding](04-streaming/obs/obs-studio-setup-encoding.md)
 * [Troubleshooting](05-troubleshooting/index.md)
     * [Apache Outage: Fail2ban Self-Ban + Missing iptables Rules](05-troubleshooting/networking/fail2ban-self-ban-apache-outage.md)
+    * [Mail Client Stops Receiving: Fail2ban IMAP Self-Ban](05-troubleshooting/networking/fail2ban-imap-self-ban-mail-client.md)
     * [Docker & Caddy Recovery After Reboot (Fedora + SELinux)](05-troubleshooting/docker-caddy-selinux-post-reboot-recovery.md)
     * [ISP SNI Filtering with Caddy](05-troubleshooting/isp-sni-filtering-caddy.md)
     * [Obsidian Vault Recovery — Loading Cache Hang](05-troubleshooting/obsidian-cache-hang-recovery.md)

index.md

@@ -2,8 +2,8 @@
 
 > A growing reference of Linux, self-hosting, open source, streaming, and troubleshooting guides. Written by MajorLinux. Used by MajorTwin.
 >
-> **Last updated:** 2026-03-13
-> **Article count:** 36
+> **Last updated:** 2026-03-14
+> **Article count:** 37
 
 ## Domains
 
@@ -13,7 +13,7 @@
 | 🏠 Self-Hosting & Homelab | `02-selfhosting/` | 8 |
 | 🔓 Open Source Tools | `03-opensource/` | 9 |
 | 🎙️ Streaming & Podcasting | `04-streaming/` | 1 |
-| 🔧 General Troubleshooting | `05-troubleshooting/` | 9 |
+| 🔧 General Troubleshooting | `05-troubleshooting/` | 10 |
 
 ---
 
@@ -101,6 +101,7 @@
 ## 🔧 General Troubleshooting
 
 - [Apache Outage: Fail2ban Self-Ban + Missing iptables Rules](05-troubleshooting/networking/fail2ban-self-ban-apache-outage.md) — diagnosing and fixing Apache outages caused by missing firewall rules and Fail2ban self-bans
+- [Mail Client Stops Receiving: Fail2ban IMAP Self-Ban](05-troubleshooting/networking/fail2ban-imap-self-ban-mail-client.md) — diagnosing why one device stops receiving email when the mail server is healthy
 - [Docker & Caddy Recovery After Reboot (Fedora + SELinux)](05-troubleshooting/docker-caddy-selinux-post-reboot-recovery.md) — fixing docker.socket, SELinux port blocks, and httpd_can_network_connect after reboot
 - [ISP SNI Filtering with Caddy](05-troubleshooting/isp-sni-filtering-caddy.md) — troubleshooting why wiki.majorshouse.com was blocked by Google Fiber
 - [Obsidian Cache Hang Recovery](05-troubleshooting/obsidian-cache-hang-recovery.md) — resolving "Loading cache" hang in Obsidian by cleaning Electron app data and ML artifacts
@@ -115,6 +116,7 @@
 
 | Date | Article | Domain |
 |---|---|---|
+| 2026-03-14 | [Mail Client Stops Receiving: Fail2ban IMAP Self-Ban](05-troubleshooting/networking/fail2ban-imap-self-ban-mail-client.md) | Troubleshooting |
 | 2026-03-14 | [SearXNG: Private Self-Hosted Search](03-opensource/alternatives/searxng.md) | Open Source |
 | 2026-03-14 | [FreshRSS: Self-Hosted RSS Reader](03-opensource/alternatives/freshrss.md) | Open Source |
 | 2026-03-14 | [Gitea: Self-Hosted Git](03-opensource/alternatives/gitea.md) | Open Source |
@@ -135,3 +137,10 @@
 | Troubleshooting NVIDIA on Linux | Troubleshooting | Medium | No |
 | Pi-hole setup and local DNS | Self-Hosting | Medium | No |
 | Nextcloud setup with Docker | Self-Hosting | Medium | No |
+
+---
+
+## Related
+- [[MajorWiki-Deploy-Status|MajorWiki Deploy Status]] — deployment status and update workflow
+- [[01-Phases|Implementation Phases]] — Phase 9 (wiki & knowledge base)
+- [[majorlab|majorlab]] — hosting server (notes.majorshouse.com)