Quoting David Ford david@blue-labs.org:
I'm not a proponent of fail2ban as I think going straight to the horse's mouth is wiser (keep it all in iptables in the first place).
I'm not a fan of fail2ban (tail/grep a log file, really?) but there are other options which do this kind of thing "better" and still allow iptables/routing to handle the issue.
I agree with Stan that your VPS provider is on the wal-mart list. If no other solution avails, code up a quick little ditty that does the actual socket listen. If the incoming IP matches an allow list, hand it off to dovecot as an exec(), if not, deal with it as you see fit - normally, dropping the packet on the floor.
That is a fine solution, if it meets their "package" requirements. If not, then something like pam_shield or a similar package may due. But even then, those types of packages may not meet the site's packaging requirements.
I can't believe a company with a packaging requirement run a Fedora though. That seems incongruous to me... Seems like they only have half a clue...
-david
-- Eric Rostetter The Department of Physics The University of Texas at Austin
Go Longhorns!