Yeah. I don't know what I was thinking when I made it work like that.
I know what you were thinking: if dovecot is writing to a log such as "mylogfile.log", and other utilities are also writing to "mylogfile.log", it's good to know which lines are dovecot.
But I am satisfied with using syslog logging; it just should be recorded somewhere that syslog is required for compatibility with Fail2Ban. I tried to edit wiki.dovecot.org with this information, but was too incompetent to figure out how to add a page. If I had to create a page with Fail2Ban instructions, it would look like:
Make sure that /etc/dovecot.conf does not have any “log_path” variable set. We need dovecot.conf to use the default system logging so the log is written in a format that fail2ban can work with.
Create the filter file /etc/fail2ban/filter.d/dovecot-pop3imap.conf:
[Definition] failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Disconnected \(auth failed).*rip=(?P<host>\S*),.* ignoreregex =
- Add the following to /etc/fail2ban/jail.conf:
[dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp] logpath = /var/log/maillog maxretry = 20 findtime = 1200 bantime = 1200