[Dovecot] Fail2Ban and the Dovecot log

[Lou Duchez]

> Yeah. I don't know what I was thinking when I made it work like that.
>   
I know what you were thinking: if dovecot is writing to a log such as 
"mylogfile.log", and other utilities are also writing to 
"mylogfile.log", it's good to know which lines are dovecot.

But I am satisfied with using syslog logging; it just should be recorded 
somewhere that syslog is required for compatibility with Fail2Ban. I 
tried to edit wiki.dovecot.org with this information, but was too 
incompetent to figure out how to add a page. If I had to create a page 
with Fail2Ban instructions, it would look like:

1) Make sure that /etc/dovecot.conf does not have any “log_path” 
variable set. We need dovecot.conf to use the default system logging so 
the log is written in a format that fail2ban can work with.

2) Create the filter file /etc/fail2ban/filter.d/dovecot-pop3imap.conf:

[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication 
failure|Aborted login \(auth failed|Disconnected \(auth 
failed).*rip=(?P<host>\S*),.*
ignoreregex =

3) Add the following to /etc/fail2ban/jail.conf:

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", 
protocol=tcp]
logpath = /var/log/maillog
maxretry = 20
findtime = 1200
bantime = 1200