~2 min read • Updated Jan 27, 2026
1. What is Fail2Ban?
Fail2Ban is an Intrusion Prevention System that:
- Monitors service logs
- Detects suspicious or repeated failed attempts
- Blocks offending IPs temporarily or permanently
Fail2Ban does not scan emails or detect spam; it only reacts to malicious IP behavior.
2. Fail2Ban in iRedMail Architecture
Attacker ↓ SMTP / IMAP / HTTP ↓ Service (Postfix / Dovecot / Web) ↓ (Log) Fail2Ban ← rapid response ↓ Firewall (iptables / nftables)
Fail2Ban directly modifies firewall rules to block attackers.
3. Main Responsibilities of Fail2Ban in iRedMail
1️⃣ Preventing Brute-force Attacks
- SMTP AUTH protection
- IMAP / POP3 login protection
- Roundcube webmail login protection
2️⃣ Reducing Server Load
- Blocking useless or malicious IPs
- Preventing thousands of failed login attempts
3️⃣ Protecting Server Reputation
- Preventing account compromise
- Stopping outbound spam caused by hacked accounts
4. Components of Fail2Ban
- fail2ban-server — main daemon
- filters — regex patterns for log detection
- jails — service + blocking policy
5. Important Fail2Ban Paths
| Path | Description |
|---|---|
| /etc/fail2ban/ | Main configuration directory |
| jail.conf | Default settings (do not edit) |
| jail.local | Custom settings |
| filter.d/ | Regex filters |
| /var/log/fail2ban.log | Fail2Ban log file |
Always use jail.local for custom configuration.
6. Important Jails in iRedMail
- postfix — protects SMTP authentication
- dovecot — protects IMAP/POP3 logins
- roundcube — protects webmail login
- nginx/apache — protects web interfaces
7. Example jail.local for iRedMail
[DEFAULT] bantime = 1h findtime = 10m maxretry = 5 [postfix] enabled = true port = smtp,submission,465 filter = postfix logpath = /var/log/maillog [dovecot] enabled = true port = imap,imaps,pop3,pop3s filter = dovecot logpath = /var/log/maillog
8. Ban Time Recommendations
| Scenario | bantime |
|---|---|
| Normal brute-force | 1h |
| Botnet attack | 24h |
| Persistent attacker | -1 (permanent) |
9. Checking Fail2Ban Status
fail2ban-client status
For a specific jail:
fail2ban-client status dovecot
10. Unbanning an IP
fail2ban-client set dovecot unbanip 1.2.3.4
11. Testing Fail2Ban
- Attempt several failed logins
- Your IP should be banned
- Ban should appear in Fail2Ban logs
12. Common Issues
❌ Legitimate users get banned
- maxretry too low
- findtime too short
❌ Fail2Ban not working
- Incorrect log path
- Filter regex mismatch
13. Security Best Practices
- Enable recidive jail (progressive ban)
- Whitelist internal IPs
- Monitor Fail2Ban logs regularly
- Ensure firewall integration is correct
14. Fail2Ban + iRedMail = Real Security
| Without Fail2Ban | With Fail2Ban |
|---|---|
| Successful brute-force | Attack neutralized |
| High CPU usage | Stable |
| Account compromise | Protected |
Conclusion
Fail2Ban is the 24/7 security guard of your mail server. When configured
Written & researched by Dr. Shahin Siami