Fail2ban ERROR Invariant check failed

I bumped into the following cryptic Fail2ban error:

fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q ‘fail2ban-NoScript[ \t]’ returned 100
fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment

Cause: a race condition in fail2ban-client.
Solution: add a small amount of sleep.

Open /usr/bin/fail2ban-client and around line 144 add the line “time.sleep(0.1)” right before “beautifier.setInputCmd(c)”. Make sure you use tabs and not spaces! Here is what it should look like:

Enjoy all those bans automagically handed out to the bad guys.

Oakley Email Fail

Last week I ordered replacement lenses for my Oakley sunglasses. Since it’s 2012 and not 1995 one would expect a thank-you-for-your-order email from Oakley (or any webshop for that matter) followed by shipment updates. Judging from the logs from my Postfix mail server the Oakley sysadmin needs to at least follow best practices in IT (2012 edition) followed by mail server & dns server setup 101 asap. The reason? I never received a single email from Oakley confirming my order or one with shipment updates. Why? From the logs from my Postfix mailserver:

NOQUEUE: reject: RCPT from unknown[]: 554 5.1.8 <>: Sender address rejected: Domain not found; from=<> to=<my_special_oakley_email_address> proto=ESMTP helo=<>

NOQUEUE: reject: RCPT from unknown[]: 554 5.7.1 Client host rejected: cannot find your reverse hostname, []; from=<> to=<my_special_oakley_email_address> proto=ESMTP helo=<>

So let’s do some analysis:

1) Oakley tries to send me an email from IP address This IP address is part of the Rackspace range assigned to Oakley. From the whois information: Rackspace Hosting RSCP-NET-4 (NET-174-143-0-0-1) – Oakley Inc. RACKS-8-1279918324181340 (NET-174-143-198-128-1) – The reverse DNS lookup of results in That’s as expected. Next let’s do a lookup of The result? NXDOMAIN or in plain English a non-existing domain. In other words Oakley’s sysadmin decided to send email from but did not have enough of a clue to also make sure that has a DNS entry. The lack of a proper DNS record for will probably result in many mail servers rejecting these emails from Oakley.
That’s FAIL #1

2) Oakley tries to send me another email from IP address This IP address is also part of the Rackspace range assigned to Oakley. The reverse DNS lookup of results in: NXDOMAIN. Let’s see if the hostname resolves to something sane. What a surprise. Another NXDOMAIN. So, again, the sysadmin did not bother to add proper DNS records to Oakley’s public authoritative DNS servers.
That’s FAIL #2

Oakley: with the premium price you charge for your products I expect you to at least be able to send me a proper order confirmation and shipment updates. This is 2012, not 1995. It has been best practice for quite some time now that, to prevent FAILS like the ones above, one shall avoid sending email from non-MX hosts. Instead one shall send (order related) email via an authoritative, properly configured MX server (that’s a Mail eXchanger like Postfix) that has proper DNS records.

Thank you for complying at your earliest convenience as I still would like to receive the order confirmation and shipment update emails.