Fail2ban is not blocking repeated attemtps on postfix and dovecot

Avron · November 7, 2022, 4:35pm

I have this, every 2 seconds with a different “ruser”, from the same IP address:

Nov 07 16:31:20 fbox auth[4646]: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=kanker rhost=5.34.207.52

Also, I have this repeated every 2 seconds:
Nov 07 16:31:24 fbox postfix/smtpd[4605]: warning: unknown[5.34.207.55]: SASL LOGIN authentication failed: Connection lost to authentication server
Nov 07 16:31:24 fbox postfix/smtpd[4615]: warning: unknown[5.34.207.52]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

The IP addresses are 5.34.207.52 and 5.34.207.55.

Shouldn’t fail2ban block this?

sunil · November 7, 2022, 6:12pm

Fail2ban blocking postfix/dovecot login attempts has not been implemented yet.

nbenedek · November 17, 2022, 7:30pm

@Avron I submitted a merge request for this issue.

Ged296123 · March 3, 2024, 8:01am

Hi @nbenedek

I’m trying to understand fila2ban and how it works with the FBX mail suite. I came across a form thread here and just out of curiosity; is there a reason you only preferred to integrate fail2ban with dovecot and omitted postfix (or is just adding dovecot sufficient)?

Thanks.

nbenedek · March 3, 2024, 9:50am

Hi, yes, adding a jail forr Dovecot is sufficient enough.