[Dovecot] Account lockout option?

Ed W lists at wildgooses.com
Thu Mar 19 23:18:09 EET 2009


WJCarpenter wrote:
>
>> Is there any option available for me to help inhibit/prevent 
>> brute-force login attempts?
>
> I (and many others) use fail2ban.  It works outside of dovecot, et al, 
> by tailing your log files.  When it finds a configurable 


Just to document that solution.  This watches postfix AND dovecot logs 
since I found botnets slowly trying both alternately.


Create filter.d/mail.conf

 >>>>>>>>>>>>>>>>>
[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag 
"<HOST>" can
#          be used for standard IP/hostname matching and is only an 
alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
# Match:
# Mar  2 15:07:09 mail1 dovecot: auth(default): 
digest-md5(blah at asdf.com,212.183.136.194): password mismatch
# Feb 26 19:32:52 mail1 dovecot: auth-worker(default): 
sql(blah at asdf.com,212.227.250.38): unknown user
# Mar  2 14:45:16 mail1 postfix/smtpd[27401]: warning: 
c70-165.i07-18.onvol.net[92.251.70.165]: SASL PLAIN authentication failed:
#
failregex = : warning: [-._\w]+\[<HOST>\]: SASL 
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$
failregex = dovecot: auth.*\(.*,<HOST>\): (unknown user|password mismatch)$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
 >>>>>>>>>>>>>>>>>>


Then in jail.conf add lines like:

[mail-iptables]

enabled  = true
filter   = mail
action   = iptables-multiport-log[name=mail, 
port="smtp,smtps,submission,imap,imaps,pop3,pop3s", protocol=tcp]
           sendmail-whois[name=mail, dest=postmaster at yourdomain.com, 
sender=fail2ban at yourdomain.com]
logpath  = /var/log/mail.log
bantime  = 3600



Hope this helps

Ed W


More information about the dovecot mailing list