diff --git a/.gitignore b/.gitignore
index cbb3a13..7510716 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@
 *.log
 *spec-20*
 *.tar.gz
+*.tar.xz
diff --git a/contriborbase b/contriborbase
deleted file mode 100644
index 9b7fd51..0000000
--- a/contriborbase
+++ /dev/null
@@ -1 +0,0 @@
-contribs10
diff --git a/createlinks b/createlinks
index 863a811..e1d4dd0 100644
--- a/createlinks
+++ b/createlinks
@@ -3,10 +3,9 @@
 use esmith::Build::CreateLinks qw(:all);
 
 # Koozali event specific for updating with yum without reboot
-$event = "smeserver-fail2ban-update";
-#add here the path to your templates needed to expand
-#see the /etc/systemd/system-preset/49-koozali.preset should be present for systemd integration on all you yum update event
+my $event = "smeserver-fail2ban-update";
 
+#add here the path to your templates needed to expand
 foreach my $file (qw(
                 /etc/systemd/system-preset/49-koozali.preset
 		/etc/backup-data.d/smeserver-fail2ban.include
@@ -21,22 +20,30 @@ event_link("systemd-default", $event, "10");
 event_link("systemd-reload", $event, "50");
 
 #action specific to this package
-#event_link("some event", $event, "30");
 #services we need to restart
 safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/masq");
 safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/fail2ban");
-#and Server Manager panel link
 
+#and Server Manager panel link
 panel_link("fail2ban", "manager");
 
 templates2events("/etc/rc.d/init.d/masq", "fail2ban-update");
 templates2events("/etc/rc.d/init.d/masq", "smeserver-fail2ban-update");
 
-foreach my $event qw(smeserver-fail2ban-update fail2ban-conf bootstrap-console-save){
+# for smanager2
+safe_symlink('restart', "root/etc/e-smith/events/$event/services2adjust/smanager");
+event_link('navigation2-conf', "$event", '80');
+event_link('routes2-conf', "$event", '80');
+event_link('locales2-conf', "$event", '80');
+
+
+# other events
+foreach my $event (qw(smeserver-fail2ban-update fail2ban-conf bootstrap-console-save)) {
     templates2events("/etc/fail2ban/jail.conf", "$event");
     templates2events("/etc/fail2ban/fail2ban.conf", "$event");
     templates2events("/etc/logrotate.d/fail2ban", "$event");
 }
+
 templates2events("/etc/fail2ban/jail.conf", "network-create");
 templates2events("/etc/fail2ban/jail.conf", "network-delete");
 templates2events("/etc/fail2ban/jail.conf", "remoteaccess-update");
@@ -47,16 +54,5 @@ safe_symlink("restart", "root/etc/e-smith/events/network-delete/services2adjust/
 safe_symlink("restart", "root/etc/e-smith/events/remoteaccess-update/services2adjust/fail2ban");
 event_link("fail2ban-suspend-logs", "logrotate", "02");
 event_link("fail2ban-resume-logs", "logrotate", "98");
-
 safe_touch("root/var/log/fail2ban/daemon.log");
 
-#service_link_enhanced("fail2ban", "S99", "7");
-#service_link_enhanced("fail2ban", "K08", "6");
-#service_link_enhanced("fail2ban", "K08", "0");
-
-# for smeserver-manager
-my $event = "smeserver-fail2ban-update"; 
-safe_symlink('restart', "root/etc/e-smith/events/$event/services2adjust/smanager");
-event_link('navigation2-conf', "$event", '80');
-event_link('routes2-conf', "$event", '80');
-event_link('locales2-conf', "$event", '80');
diff --git a/root/etc/e-smith/templates/etc/fail2ban/jail.conf/05IgnoreIP b/root/etc/e-smith/templates/etc/fail2ban/jail.conf/05IgnoreIP
index c4914f3..612896a 100644
--- a/root/etc/e-smith/templates/etc/fail2ban/jail.conf/05IgnoreIP
+++ b/root/etc/e-smith/templates/etc/fail2ban/jail.conf/05IgnoreIP
@@ -6,7 +6,10 @@ use Net::IPv4Addr;
 my $n = esmith::NetworksDB->open_ro() ||
   die "Couldn't open networks DB\n";
 
-my @ip = ("127.0.0.0/8", $LocalIP);
+# do not block localhost and LAN
+my @ip = ("127.0.0.0/8", "$LocalIP/32");
+# if ExternalIP exist do not block WAN
+push @ip, "$ExternalIP/32" if $ExternalIP;
 
 # Add hosts which can access the server-manager to the whitelist
 unless (($fail2ban{FilterValidRemoteHosts} || 'disabled') eq 'enabled'){
@@ -28,6 +31,7 @@ unless (($fail2ban{FilterLocalNetworks} || 'disabled') eq 'enabled'){
 # Add a local whitelist
 foreach (split /[,;]/, ($fail2ban{'IgnoreIP'} || '')){
     my $addr = $_;
+    next unless (length $addr);
     $addr .= '/32' unless ($addr =~ m/\/\d{1,2}$/);
     my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$addr");
     push @ip, "$ip/$bits";
diff --git a/root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service20qpsmtpd b/root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service20qpsmtpd
index bf68d9f..d57c915 100644
--- a/root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service20qpsmtpd
+++ b/root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service20qpsmtpd
@@ -7,6 +7,8 @@ my @ports = ();
 push @ports, ($qpsmtpd{'TCPPort'} || '25');
 push @ports, ($sqpsmtpd{'TCPPort'} || '465')
   if (($sqpsmtpd{'status'} || 'disabled') eq 'enabled');
+push @ports, ($uqpsmtpd{'TCPPort'} || '587')
+  if ((usqpsmtpd{'status'} || 'disabled') eq 'enabled');
 my $port = join (",", @ports);
 
 my $max = $maxretry*3;
@@ -16,7 +18,7 @@ $OUT .=<<"EOF";
 [qpsmtpd]
 enabled  = true
 filter   = qpsmtpd
-logpath  = /var/log/*qpsmtpd/current
+logpath  = /var/log/*qpsmtpd/*qpsmtpd.log
 maxretry = $max
 action   = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
 EOF
diff --git a/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustFail2Ban b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustFail2Ban
index 4a202d5..bc5b581 100644
--- a/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustFail2Ban
+++ b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustFail2Ban
@@ -1,6 +1,21 @@
 {
     my $f2bdb = esmith::ConfigDB->open_ro('fail2ban') ||
         esmith::ConfigDB->create('fail2ban');
+
+   # to allow reload  without locking  just after initial install or if chain has been deleted
+   $OUT .=<<'EOF';
+   iptables -n --list Fail2Ban >/dev/null 2>&1
+   test=$?
+   if [[ $test -eq 1 ]] ; then
+   # A blacklist chain for xtables-addons Fail2Ban
+    /sbin/iptables --new-chain Fail2Ban
+    /sbin/iptables --new-chain Fail2Ban_1
+    /sbin/iptables --append Fail2Ban -j Fail2Ban_1
+    /sbin/iptables --insert INPUT 1 \
+       -j Fail2Ban
+   fi
+EOF
+
     # Find the current Fail2Ban_$$ chain, and create a new one.
     $OUT .=<<'EOF';
     OLD_Fail2Ban=$(get_safe_id Fail2Ban filter find)
diff --git a/smeserver-fail2ban-0.1.18.tar.xz b/smeserver-fail2ban-0.1.18.tar.xz
deleted file mode 100644
index 8f250a3..0000000
Binary files a/smeserver-fail2ban-0.1.18.tar.xz and /dev/null differ
diff --git a/smeserver-fail2ban.spec b/smeserver-fail2ban.spec
index 34920b8..0ee43d9 100644
--- a/smeserver-fail2ban.spec
+++ b/smeserver-fail2ban.spec
@@ -1,5 +1,5 @@
 %define version 0.1.18
-%define release 35
+%define release 36
 %define name smeserver-fail2ban
 
 Summary: fail2ban integration on SME Server
@@ -10,7 +10,6 @@ Epoch: 9
 License: GPL
 Group: Networking/Daemons
 Source: %{name}-%{version}.tar.xz
-patch25: smeserver-fail2ban-0.1.18-locale-2024-09-05.patch
 
 BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
 BuildArchitectures: noarch
@@ -26,6 +25,14 @@ AutoReqProv: no
 Configure fail2ban on SME Server
 
 %changelog
+* Fri Sep 26 2025 Jean-Philippe Pialasse <jpp@koozali.org> 0.1.18-36.sme
+- fix spec file [SME: 13172]
+- fix 05IgnoreIP fragment [SME: 12453]
+- whitelist wan ip [SME: 12199]
+- create Fail2ban chain if missing on reloading firewall  [SME: 10786]
+- update qpsmtpd logs path
+- fix createlinks
+
 * Tue Sep 23 2025 Brian Read <brianr@koozali.org> 0.1.18-35.sme
 - Change $config to config in layout file(s) [SME: 13171]