How to install a complete mailserver on Debian 8/9, featuring Postfix, Dovecot, MySQL, Spamassassin, ClamAV, Roundcube and Fail2ban.
~ the howto that actually works ~
Part 1: Introduction
Part 2: Preparations: Apache, Let’s Encrypt, MySQL and phpMyAdmin
Part 3: MTA: Postfix
Part 4: IMAP server: Dovecot
Part 5: Web interface: Roundcube
Part 6: Spam filtering: SpamAsasssin
Part 7: Antivirus: ClamAV and ClamSMTP
Part 8: Quota and other Roundcube settings
Part 9: Using mail with a remote IMAP client (i.e. Thunderbird)
Part 10: Counter brute-force attacks with Fail2ban
Part 11: Sources, config files, colouring and comments
On this page
Comments are on the last page.
Fail2ban reads logfiles and acts based on their entries. For example, it can recognize when someone has entered a wrong password six times in two minutes and lock them out for half an hour.
# aptitude install fail2ban
Have Fail2ban start automatically at boot:
# systemctl enable fail2ban.service
Copy the conf file to a local differential file:
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
In /etc/fail2ban/jail.local set the following values:
backend = polling
(Alternatively set to auto but that made Fail2ban complain about pyinotify not being installed. That’s not problem: Fail2ban just tries all options but I don’t like complaints in my logfiles.)
mta = sendmail destemail = email@example.com
action_ = just ban
action_mw = ban and mail
action_mwl = ban and mail with whois report and relevant log lines
I suggest _mwl but change it to your needs.
action = %(action_mwl)s
# fail2ban-client start
If it was already running:
# service fail2ban restart
You should receive a mail notification at your specified e-mail address that Fail2ban has started.
Block random address spammers
Some spammers/phishers send mail to common e-mail addresses (john@; admin@) in the hope these addresses exist. If a sender sends mail to a bunch of non-existant addresses at the same time you may as well stop accepting mail from that sender.
In /etc/fail2ban/filter.d/postfix.conf add these lines under failrexeg:
reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1 reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1 reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
in /etc/fail2ban/jail.local under [Postfix] set
enabled = true
Users entering a wrong username/password combination for x times
This can indicate a brute-force attack. It’s up to you to decide if you want to use it. Personally I like to use it but set the limit higher than the default by adding
maxretry = 10
to the jail definition in /etc/fail2ban/jail.local.
In /etc/fail2ban/jail.local under [roundcube-auth] set
enabled = true
logpath = /var/log/roundcube/errors
In /etc/fail2ban/filter.d/roundcube-auth.conf set:
failregex = IMAP Error: (FAILED login|Login failed) for .*? from <HOST>
Likely someone will come up with a better regex to identify logon failures but for me this works.
For other imap clients:
In /etc/fail2ban/jail.local under [dovecot] set
enabled = true
# service fail2ban reload
To manually unban a client do
# fail2ban-client set owncloud unbanip 192.168.1.2
To manually check the Fail2ban’s ownCloud jail:
# fail2ban-client status roundcube-auth # fail2ban-client status dovecot # fail2ban-client status postfix