Maybe there could be a page in the dovecot wiki about Fail2Ban? A
definitive Dovecot / Fail2ban resource would be useful. (If nobody
else creates one in a week, perhaps I will. But I have to perfect my
Fail2banning first ...)
I couldn't figure out how to add new pages to wiki.dovecot.org, but here
is what I have come up with for an easy Fail2ban recipe:
---
Configuring Fail2Ban with Dovecot
1) Make sure your dovecot "log_path" string is empty, in other words
allow syslog to do your Dovecot logging (into the default mail log).
This ensures that the log entries will be in a format Fail2ban can work
with.
2) In your Fail2ban "jail.conf" file (most likely
/etc/fail2ban/jail.conf), add entries like the following:
[dovecot-pop3]
enabled = true
filter = dovecot-pop3
action = iptables[name=POP3, port=pop3, protocol=tcp]
logpath = /var/log/maillog
maxretry = 20
bantime = 1200
[dovecot-imap]
enabled = true
filter = dovecot-imap
action = iptables[name=IMAP, port=imap, protocol=tcp]
logpath = /var/log/maillog
maxretry = 20
bantime = 1200
This arrangement is designed to trap POP3 and IMAP separately, and also
to allow a high number of errors before temporarily "jailing" a user.
This is to decrease the likelihood that a single user from a single IP
will get all his coworkers (temporarily) banned over an honest mistake
in configuration.
3) Create a jail called dovecot-pop3.conf (most likely as
/etc/fail2ban/filter.d/dovecot-pop3.conf):
[Definition]
failregex = (?: pop3-login: Authentication failure).*rip=(?P<host>\S*),.*
(?: pop3-login: Aborted login).*rip=(?P<host>\S*),.*
(?: pop3-login: Disconnected).*rip=(?P<host>\S*),.*
ignoreregex =
4) Create a jail called dovecot-imap3.conf (most likely as
/etc/fail2ban/filter.d/dovecot-imap.conf):
[Definition]
failregex = (?: imap-login: Authentication failure).*rip=(?P<host>\S*),.*
(?: imap-login: Aborted login).*rip=(?P<host>\S*),.*
(?: imap-login: Disconnected).*rip=(?P<host>\S*),.*
ignoreregex =
5) Restart Fail2ban.
