How to install a complete mailserver on Debian 8/9, featuring Postfix, Dovecot, MySQL, Spamassassin, ClamAV, Roundcube and Fail2ban.
~ the howto that actually works ~
Part 1: Introduction
Part 2: Preparations: Apache, Let’s Encrypt, MySQL and phpMyAdmin
Part 3: MTA: Postfix
Part 4: IMAP server: Dovecot
Part 5: Web interface: Roundcube
Part 6: Spam filtering: SpamAsasssin
Part 7: Antivirus: ClamAV and ClamSMTP
Part 8: Quota and other Roundcube settings
Part 9: Using mail with a remote IMAP client (i.e. Thunderbird)
Part 10: Counter brute-force attacks with Fail2ban
Part 11: Sources, config files, colouring and comments
On this page
Installation
Block random address spammers
Users entering a wrong username/password combination for x times
Comments are on the last page.
Installation
Fail2ban reads logfiles and acts based on their entries. For example, it can recognize when someone has entered a wrong password six times in two minutes and lock them out for half an hour.
# aptitude install fail2ban
Have Fail2ban start automatically at boot:
# systemctl enable fail2ban.service
Copy the conf file to a local differential file:
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
In /etc/fail2ban/jail.local set the following values:
backend = polling
(Alternatively set to auto but that made Fail2ban complain about pyinotify not being installed. That’s not problem: Fail2ban just tries all options but I don’t like complaints in my logfiles.)
mta = sendmail destemail = your@email.here
Set action:
action_ = just ban
action_mw = ban and mail
action_mwl = ban and mail with whois report and relevant log lines
I suggest _mwl but change it to your needs.
action = %(action_mwl)s
Start Fail2ban:
# fail2ban-client start
If it was already running:
# service fail2ban restart
You should receive a mail notification at your specified e-mail address that Fail2ban has started.
Block random address spammers
Some spammers/phishers send mail to common e-mail addresses (john@; admin@) in the hope these addresses exist. If a sender sends mail to a bunch of non-existant addresses at the same time you may as well stop accepting mail from that sender.
In /etc/fail2ban/filter.d/postfix.conf add these lines under failrexeg:
reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1 reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1 reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
(Source: http://www.fail2ban.org/wiki/index.php/Postfix)
in /etc/fail2ban/jail.local under [Postfix] set
enabled = true
Users entering a wrong username/password combination for x times
This can indicate a brute-force attack. It’s up to you to decide if you want to use it. Personally I like to use it but set the limit higher than the default by adding
maxretry = 10
to the jail definition in /etc/fail2ban/jail.local.
For Roundcube:
In /etc/fail2ban/jail.local under [roundcube-auth] set
enabled = true
Also set
logpath = /var/log/roundcube/errors
In /etc/fail2ban/filter.d/roundcube-auth.conf set:
failregex = IMAP Error: (FAILED login|Login failed) for .*? from <HOST>
Likely someone will come up with a better regex to identify logon failures but for me this works.
For other imap clients:
In /etc/fail2ban/jail.local under [dovecot] set
enabled = true
Afterwards do
# service fail2ban reload
To manually unban a client do
# fail2ban-client set owncloud unbanip 192.168.1.2
To manually check the Fail2ban’s ownCloud jail:
# fail2ban-client status roundcube-auth # fail2ban-client status dovecot # fail2ban-client status postfix