Postfix, Dovecot+Fail2ban

[Madd00x]

Hello, i'm trying to secure my future server mail, Is this Fail2ban configuration ok?
[DEFAULT]
#destemail = [email protected]
#sender = [email protected]
#sendername = Fail2Ban
#mta = sendmail
ignoreip = 127.0.0.1/8
ignorecommand =
bantime = 10d
findtime = 10m
maxretry = 3
maxmatches = %(maxretry)s
backend = systemd
usedns = warn
logencoding = auto
enabled = false
mode = normal
filter = %(name)s[mode=%(mode)s]
destemail = root@localhost
sender = root@<fq-hostname>
mta = sendmail
protocol = tcp
chain = input
port = 0:65535
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
banaction = nftables-multiport
banaction_allports = nftables-allports
bantime.increment = true
bantime.factor = 2
bantime.maxtime = 60d
dbpurgeage = 30d
bantime.rndtime = 30m

[sshd]
enabled = true
port = 2157
backend = systemd
filter = sshd
logpath = /var/log/auth.log
maxretry = 2
mode = aggressive


[postfix]
enabled = true
port = smtp,ssmtp
filter = postfix[mode=auth]
logpath = /var/log/mail.log
ignoreip = 127.0.0.1/8 192.168.1.0/24
journalmatch = _SYSTEMD_UNIT=[email protected]
maxretry = 3
bantime.increment = true
bantime.factor = 2

[postfix-sasl]
enabled = true
filter = postfix[mode=auth]
port = smtp,submission,imap,imaps,pop3,pop3s
maxretry = 3
bantime = 12h
bantime.increment = true
bantime.factor = 2
bantime.maxtime = 5w
action = %(action_)s
journalmatch = _SYSTEMD_UNIT=[email protected]
logpath = /var/log/mail.log

[recidive]
backend = systemd
logpath = /var/log/fail2ban.log
enabled = true
maxretry = 2
banaction = nftables-allports

[dovecot]
enabled = true
filter = dovecot
logpath = /var/log/mail.log
maxretry = 3

Fai2ban is working perfectly with ssh.

Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 2
|- Total banned: 2
`- Banned IP list: 185.156.xxxxx 5.90.xxxxx

 

[dos2unix]

Suggestions for Improvement
1. Email Notifications
You're using:
INIdestemail = root@localhostsender = root@<fq-hostname>mta = sendmailShow more lines

If you want to receive real alerts, consider setting destemail to a real external address (e.g., [email protected]) and configuring sendmail or ssmtp to relay externally.
Also, uncomment and set sendername for clarity in email headers.

2. Port Range in DEFAULT
INIport = 0:65535Show more lines

This is very broad and may cause unintended bans. Consider removing it from [DEFAULT] and specifying ports per jail.

3. Postfix Jails

You’re using filter = postfix[mode=auth] in both postfix and postfix-sasl. That’s fine if you want to catch auth failures, but make sure your filter file (postfix.conf) supports mode=auth. You might want to split them more clearly or use custom filters if needed.

4. Dovecot Jail

You might want to add:

INIjournalmatch = _SYSTEMD_UNIT=dovecot.serviceShow more lines

Also consider setting bantime, bantime.increment, and bantime.factor here for consistency.

5. Enabled Flag in DEFAULT

INIenabled = falseShow more lines

This doesn’t affect individual jails, but it’s good practice to remove or set it to true if you want to enable jails by default.


Your SSH Jail Status
Looks great:
Plain TextCurrently banned: 2Total banned: 2Show more lines
That means Fail2Ban is actively protecting your SSH service.

Final Thoughts
You're clearly on the right track. If you're planning to deploy this on a production mail server, I’d recommend:

Testing email alerts.
Reviewing your filter files (/etc/fail2ban/filter.d/) to ensure they match your log formats.
Monitoring /var/log/fail2ban.log for any unexpected behavior.

 

[Madd00x]

Hello, thanks for spending time answering. Very appreciated.

1 - Email Notifications
I'm waiting for a static IP, that's why is still #

2 - Port Range in DEFAULT
port = 0:65535
I wrote in the [DEFAULT] because, in case of intrusion attempts, the IP is banned on all ports and all services, am i wrong?
How would you use for each one service?

3 - . Postfix Jails

Supported.
/etc/fail2ban/filter.d/postfix.conf
mdpr-auth = warning:
mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed?! Connection lost to authentication server| Invalid authentication mechanism)
mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed?! Connection lost to authentication server)

4 - "You might want to add:

Done.
[dovecot]
enabled = true
filter = dovecot
logpath = /var/log/mail.log
maxretry = 3
journalmatch = _SYSTEMD_UNIT=dovecot.service

5 - "Enabled Flag in DEFAULT"

Done
enabled = true