Maybe there could be a page in the dovecot wiki about Fail2Ban? A definitive Dovecot / Fail2ban resource would be useful. (If nobody else creates one in a week, perhaps I will. But I have to perfect my Fail2banning first ...)
I couldn't figure out how to add new pages to wiki.dovecot.org, but here is what I have come up with for an easy Fail2ban recipe:
Configuring Fail2Ban with Dovecot
Make sure your dovecot "log_path" string is empty, in other words allow syslog to do your Dovecot logging (into the default mail log).
This ensures that the log entries will be in a format Fail2ban can work with.In your Fail2ban "jail.conf" file (most likely /etc/fail2ban/jail.conf), add entries like the following:
[dovecot-pop3] enabled = true filter = dovecot-pop3 action = iptables[name=POP3, port=pop3, protocol=tcp] logpath = /var/log/maillog maxretry = 20 bantime = 1200
[dovecot-imap] enabled = true filter = dovecot-imap action = iptables[name=IMAP, port=imap, protocol=tcp] logpath = /var/log/maillog maxretry = 20 bantime = 1200
This arrangement is designed to trap POP3 and IMAP separately, and also
to allow a high number of errors before temporarily "jailing" a user.
This is to decrease the likelihood that a single user from a single IP
will get all his coworkers (temporarily) banned over an honest mistake
in configuration.
- Create a jail called dovecot-pop3.conf (most likely as /etc/fail2ban/filter.d/dovecot-pop3.conf):
[Definition]
failregex = (?: pop3-login: Authentication failure).*rip=(?P<host>\S*),.* (?: pop3-login: Aborted login).*rip=(?P<host>\S*),.* (?: pop3-login: Disconnected).*rip=(?P<host>\S*),.*
ignoreregex =
- Create a jail called dovecot-imap3.conf (most likely as /etc/fail2ban/filter.d/dovecot-imap.conf):
[Definition]
failregex = (?: imap-login: Authentication failure).*rip=(?P<host>\S*),.* (?: imap-login: Aborted login).*rip=(?P<host>\S*),.* (?: imap-login: Disconnected).*rip=(?P<host>\S*),.*
ignoreregex =
- Restart Fail2ban.