Fail2ban for Postfix & Dovecot (stop SMTP/IMAP brute force)

A public mail server gets relentless SMTP and IMAP login attempts. Fail2ban has built-in filters for Postfix and Dovecot — enable all three.

1. The jails

In /etc/fail2ban/jail.local:

[postfix]
enabled  = true
mode     = aggressive
port     = smtp,465,submission
logpath  = /var/log/mail.log
maxretry = 5
bantime  = 1h

[postfix-sasl]
enabled  = true
port     = smtp,465,submission,imap,imaps,pop3,pop3s
logpath  = /var/log/mail.log
maxretry = 4
bantime  = 1h

[dovecot]
enabled  = true
port     = pop3,pop3s,imap,imaps,submission,465,sieve
logpath  = /var/log/mail.log
maxretry = 5
bantime  = 1h

On RHEL/CentOS the log is /var/log/maillog. On systemd-only mail hosts, drop logpath and add backend = systemd to each jail.

2. Reload

sudo fail2ban-client reload

3. Verify

fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix-sasl.conf
sudo fail2ban-client status dovecot

Tip: postfix-sasl (failed SMTP AUTH) is usually the highest-volume mail jail — it’s the one catching the password-spray bots. Keep its maxretry low.