{ "created": "2015-12-20T19:56:34Z", "hierarchy": [ { "name": "ROOT", "type": "folder", "uri": "/ROOT" }, { "name": "Fail2Ban for Dovecot", "type": "article", "uri": "Fail2Ban_for_Dovecot" } ], "html": "\n\n \n \n \n \n \n \n \n \n \n \n \n Fail2Ban for Dovecot – Nikhil's Personal Wiki\n \n \n \n \n \n
\n
\n \n
\n
\n \n \n\n

Fail2Ban for Dovecot\n \n

\n

Installation

\n
yum install fail2ban\nchkconfig fail2ban on\n
\n

Configuration

\n

Now add this to /etc/fail2ban/jail.conf. Change the sender email.

\n
[dovecot]\nenabled  = true\nfilter   = dovecot\naction   = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]\n           sendmail-whois[name=dovecot, dest=root, sender=fail2ban@example.com]\nlogpath  = /var/log/maillog\nmaxretry = 10\nfindtime = 1200\nbantime  = -10\n
\n

See the manual for an explanation of the options. In this configuration, anyone attempting to authenticate unsuccessfully 10 times will be banned permanently.

\n

Fail2Ban will try looking for a configuration/filter file called “dovecot.conf” in the filters directory, /etc/fail2ban/filters.d.
\nCreate it and add this if it doesn’t exist for some reason:

\n
[Definition]\nfailregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \\(auth failed|Aborted login \\(tried to use disabled|Disconnected \\(auth failed).*rip=(?P<host>\\S*),.*\nignoreregex =\n
\n

Testing

\n

Fail2Ban comes with a handy-dandy regex testing tool.

\n
fail2ban-regex /vaar/log/maillog /etc/fail2ban/filter.d/dovecot.conf\n
\n

You should issue iptables -L to verify that there’s a Fail2Ban chain. Now telnet to the POP3 port from another machine and try logging in with some junk.

\n
Trying 198.81.129.107...\nConnected to example.com (198.81.129.107).\nEscape character is '^]'.\n+OK Hello. Please be nice.\nuser hahahaha**\n-ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections.\n
\n

You’ll see a bunch of these in /var/log/maillog:

\n
Sep 17 15:05:14 user dovecot: pop3-login: Aborted login (tried to use disabled plaintext auth): rip=72.21.81.85, lip=198.81.129.107\n
\n

When you see 10 of them, wait a bit. You’ll see an email from Fail2Ban informing you that it’s blocked an IP. To verify, issue iptables -L -n. You’ll see this somewhere:

\n
Chain fail2ban-dovecot (1 references)\ntarget     prot opt source               destination\nDROP       all  --  72.21.81.85        0.0.0.0/0\n
\n

Nice. To unban, just remove the rule from the chain:

\n
iptables -D fail2ban-dovecot -s 72.21.81.85 -j DROP\n
\n

Using the Service

\n
service fail2ban start\n
\n

Check its status

\n
[root@example ~]# service fail2ban status\nFail2ban (pid 15919) is running...\nStatus\n|- Number of jail:  1\n`- Jail list:       dovecot\n
\n

You should have gotten an email from the service with the subject “[Fail2Ban] dovecot: started”. Check /var/log/messages for banned IPs

\n\n\n
\n \n
\n \n \n \n \n \n\n", "id": "448203f8-53ec-5de9-b2e5-6ef7057413d2", "modified": "2026-05-28T13:06:15Z", "revisions": [ { "authorEmail": "mail@nikhil.io", "authorName": "Nikhil Anand", "date": "2026-05-28T13:06:15Z", "id": "1ca86bf1fad132291ed7a42e4d2afbdd711ddfe8", "shortId": "1ca86bf1", "subject": "Formatting fixes -- Claude\n", "content": "## Installation\n\n yum install fail2ban\n chkconfig fail2ban on\n\n## Configuration\n\nNow add this to `/etc/fail2ban/jail.conf`. Change the `sender` email.\n\n [dovecot]\n enabled  = true\n filter   = dovecot\n action   = iptables-multiport[name=dovecot, port=\"pop3,pop3s,imap,imaps\", protocol=tcp]\n            sendmail-whois[name=dovecot, dest=root, sender=fail2ban@example.com]\n logpath  = /var/log/maillog\n maxretry = 10\n findtime = 1200\n bantime  = -10\n\nSee [the manual](http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Jail_Options) for an explanation of the options. In this configuration, anyone attempting to authenticate unsuccessfully 10 times will be banned permanently.\n\nFail2Ban will try looking for a configuration/filter file called \"`dovecot.conf`\" in the filters directory, `/etc/fail2ban/filters.d`.\nCreate it and add this if it doesn't exist for some reason:\n\n [Definition]\n failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \\(auth failed|Aborted login \\(tried to use disabled|Disconnected \\(auth failed).*rip=(?P\\S*),.*\n ignoreregex =\n\n## Testing\n\nFail2Ban comes with a handy-dandy regex testing tool.\n\n fail2ban-regex /vaar/log/maillog /etc/fail2ban/filter.d/dovecot.conf\n\nYou should issue `iptables -L` to verify that there's a Fail2Ban chain. Now `telnet` to the POP3 port from another machine and try logging in with some junk.\n\n Trying 198.81.129.107...\n Connected to example.com (198.81.129.107).\n Escape character is '^]'.\n +OK Hello. Please be nice.\n user hahahaha**\n -ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections.\n\nYou'll see a bunch of these in `/var/log/maillog`:\n\n Sep 17 15:05:14 user dovecot: pop3-login: Aborted login (tried to use disabled plaintext auth): rip=72.21.81.85, lip=198.81.129.107\n\nWhen you see 10 of them, wait a bit. You'll see an email from Fail2Ban informing you that it's blocked an IP. To verify, issue `iptables -L -n`. You'll see this somewhere:\n\n Chain fail2ban-dovecot (1 references)\n target     prot opt source               destination\n DROP       all  --  72.21.81.85        0.0.0.0/0\n\nNice. To unban, just remove the rule from the chain:\n\n iptables -D fail2ban-dovecot -s 72.21.81.85 -j DROP\n\n## Using the Service\n\n service fail2ban start\n\nCheck its status\n\n [root@example ~]# service fail2ban status\n Fail2ban (pid 15919) is running...\n Status\n |- Number of jail:  1\n `- Jail list:       dovecot\n\nYou should have gotten an email from the service with the subject \"**\\[Fail2Ban\\] dovecot: started**\". Check `/var/log/messages` for banned IPs\n" }, { "authorEmail": "mail@nikhil.io", "authorName": "Nikhil Anand", "date": "2026-01-13T18:47:28Z", "id": "2436477560f26e23d00a24add1cbfeafdca4af78", "shortId": "24364775", "subject": "No compression\n", "content": "Installation\n------------\n\n yum install fail2ban \n chkconfig fail2ban on\n\nConfiguration\n-------------\n\nNow add this to `/etc/fail2ban/jail.conf`. Change the `sender` email.\n\n [dovecot] \n enabled  = true \n filter   = dovecot \n action   = iptables-multiport[name=dovecot, port=\"pop3,pop3s,imap,imaps\", protocol=tcp] \n            sendmail-whois[name=dovecot, dest=root, sender=fail2ban@example.com] \n logpath  = /var/log/maillog \n maxretry = 10 \n findtime = 1200 \n bantime  = -10\n\nSee [the manual](http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Jail_Options)\nfor an explanation of the options. In this configuration, anyone\nattempting to authenticate unsuccessfully 10 times will be banned\npermanently.\n\nFail2Ban will try looking for a configuration/filter file called\n\"`dovecot.conf`\" in the filters directory, `/etc/fail2ban/filters.d`.\nCreate it and add this if it doesn't exist for some reason:\n\n [Definition] \n failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \\(auth failed|Aborted login \\(tried to use disabled|Disconnected \\(auth failed).*rip=(?P\\S*),.* \n ignoreregex =\n\nTesting\n-------\n\nFail2Ban comes with a handy-dandy regex testing tool.\n\n fail2ban-regex /vaar/log/maillog /etc/fail2ban/filter.d/dovecot.conf\n\nYou should issue `iptables -L` to verify that there's a Fail2Ban chain.\nNow `telnet` to the POP3 port from another machine and try logging in\nwith some junk.\n\n Trying 198.81.129.107... \n Connected to example.com (198.81.129.107). \n Escape character is '^]'. \n +OK Hello. Please be nice. \n user hahahaha** \n -ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections.\n\nYou'll see a bunch of these in `/var/log/maillog`:\n\n Sep 17 15:05:14 user dovecot: pop3-login: Aborted login (tried to use disabled plaintext auth): rip=72.21.81.85, lip=198.81.129.107\n\nWhen you see 10 of them, wait a bit. You'll see an email from Fail2Ban\ninforming you that it's blocked an IP. To verify, issue\n`iptables -L -n`. You'll see this somewhere:\n\n Chain fail2ban-dovecot (1 references) \n target     prot opt source               destination \n DROP       all  --  72.21.81.85        0.0.0.0/0\n\nNice. To unban, just remove the rule from the chain:\n\n iptables -D fail2ban-dovecot -s 72.21.81.85 -j DROP\n\nUsing the Service\n-----------------\n\n service fail2ban start\n\nCheck its status\n\n [root@example ~]# service fail2ban status \n Fail2ban (pid 15919) is running... \n Status \n |- Number of jail:  1 \n `- Jail list:       dovecot \n\nYou should have gotten an email from the service with the subject\n\"**\\[Fail2Ban\\] dovecot: started**\". Check `/var/log/messages` for\nbanned IPs\n\n\n\n" }, { "authorEmail": "mail@nikhil.io", "authorName": "Nikhil Anand", "date": "2015-12-27T07:27:56Z", "id": "1aa29105a45aa67523ffb61e73bcc415f935a47e", "shortId": "1aa29105", "subject": "Fix Markdown conversion\n\nSaw half a season of The Office\n", "content": "Installation\n------------\n\n yum install fail2ban \n chkconfig fail2ban on\n\nConfiguration\n-------------\n\nNow add this to `/etc/fail2ban/jail.conf`. Change the `sender` email.\n\n [dovecot] \n enabled  = true \n filter   = dovecot \n action   = iptables-multiport[name=dovecot, port=\"pop3,pop3s,imap,imaps\", protocol=tcp] \n            sendmail-whois[name=dovecot, dest=root, sender=fail2ban@example.com] \n logpath  = /var/log/maillog \n maxretry = 10 \n findtime = 1200 \n bantime  = -10\n\nSee [the manual](http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Jail_Options)\nfor an explanation of the options. In this configuration, anyone\nattempting to authenticate unsuccessfully 10 times will be banned\npermanently.\n\nFail2Ban will try looking for a configuration/filter file called\n\"`dovecot.conf`\" in the filters directory, `/etc/fail2ban/filters.d`.\nCreate it and add this if it doesn't exist for some reason:\n\n [Definition] \n failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \\(auth failed|Aborted login \\(tried to use disabled|Disconnected \\(auth failed).*rip=(?P\\S*),.* \n ignoreregex =\n\nTesting\n-------\n\nFail2Ban comes with a handy-dandy regex testing tool.\n\n fail2ban-regex /vaar/log/maillog /etc/fail2ban/filter.d/dovecot.conf\n\nYou should issue `iptables -L` to verify that there's a Fail2Ban chain.\nNow `telnet` to the POP3 port from another machine and try logging in\nwith some junk.\n\n Trying 198.81.129.107... \n Connected to example.com (198.81.129.107). \n Escape character is '^]'. \n +OK Hello. Please be nice. \n user hahahaha** \n -ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections.\n\nYou'll see a bunch of these in `/var/log/maillog`:\n\n Sep 17 15:05:14 user dovecot: pop3-login: Aborted login (tried to use disabled plaintext auth): rip=72.21.81.85, lip=198.81.129.107\n\nWhen you see 10 of them, wait a bit. You'll see an email from Fail2Ban\ninforming you that it's blocked an IP. To verify, issue\n`iptables -L -n`. You'll see this somewhere:\n\n Chain fail2ban-dovecot (1 references) \n target     prot opt source               destination \n DROP       all  --  72.21.81.85        0.0.0.0/0\n\nNice. To unban, just remove the rule from the chain:\n\n iptables -D fail2ban-dovecot -s 72.21.81.85 -j DROP\n\nUsing the Service\n-----------------\n\n service fail2ban start\n\nCheck its status\n\n [root@example ~]# service fail2ban status \n Fail2ban (pid 15919) is running... \n Status \n |- Number of jail:  1 \n `- Jail list:       dovecot \n\nYou should have gotten an email from the service with the subject\n\"**\\[Fail2Ban\\] dovecot: started**\". Check `/var/log/messages` for\nbanned IPs\n\n\n\n" }, { "authorEmail": "mail@nikhil.io", "authorName": "Nikhil Anand", "date": "2015-12-21T02:30:47Z", "id": "d658e80d1ecb97b196531c7b15a0f9af709c05de", "shortId": "d658e80d", "subject": "Incremental\n", "content": "Installation\n------------\n\n`   yum install fail2ban` \n`   chkconfig fail2ban on`\n\nConfiguration\n-------------\n\nNow add this to `/etc/fail2ban/jail.conf`. Change the `sender` email.\n\n`   [dovecot]` \n`   enabled  = true` \n`   filter   = dovecot` \n`   action   = iptables-multiport[name=dovecot, port=\"pop3,pop3s,imap,imaps\", protocol=tcp]` \n`              sendmail-whois[name=dovecot, dest=root, sender=fail2ban@example.com]` \n`   logpath  = /var/log/maillog` \n`   maxretry = 10` \n`   findtime = 1200` \n`   bantime  = -10`\n\nSee [the\nmanual](http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Jail_Options)\nfor an explanation of the options. In this configuration, anyone\nattempting to authenticate unsuccessfully 10 times will be banned\npermanently.\n\nFail2Ban will try looking for a configuration/filter file called\n\"`dovecot.conf`\" in the filters directory, `/etc/fail2ban/filters.d`.\nCreate it and add this if it doesn't exist for some reason:\n\n`   [Definition]` \n`   failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \\(auth failed|Aborted login \\(tried to use disabled|Disconnected \\(auth failed).*rip=(?P``\\S*),.*` \n`   ignoreregex =`\n\nTesting\n-------\n\nFail2Ban comes with a handy-dandy regex testing tool.\n\n`   fail2ban-regex /vaar/log/maillog /etc/fail2ban/filter.d/dovecot.conf`\n\nYou should issue `iptables -L` to verify that there's a Fail2Ban chain.\nNow `telnet` to the POP3 port from another machine and try logging in\nwith some junk.\n\n`   Trying 198.81.129.107...` \n`   Connected to example.com (198.81.129.107).` \n`   Escape character is '^]'.` \n`   +OK Hello. Please be nice.` \n`   `**`user` `hahahaha`** \n`   -ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections.`\n\nYou'll see a bunch of these in `/var/log/maillog`:\n\n`   Sep 17 15:05:14 user dovecot: pop3-login: Aborted login (tried to use disabled plaintext auth): rip=72.21.81.85, lip=198.81.129.107`\n\nWhen you see 10 of them, wait a bit. You'll see an email from Fail2Ban\ninforming you that it's blocked an IP. To verify, issue\n`iptables -L -n`. You'll see this somewhere:\n\n`   Chain fail2ban-dovecot (1 references)` \n`   target     prot opt source               destination` \n`   DROP       all  --  72.21.81.85        0.0.0.0/0`\n\nNice. To unban, just remove the rule from the chain:\n\n`   iptables -D fail2ban-dovecot -s 72.21.81.85 -j DROP`\n\nUsing the Service\n-----------------\n\n`   service fail2ban start`\n\nCheck its status\n\n`   [root@example ~]# service fail2ban status` \n`   Fail2ban (pid 15919) is running...` \n`   Status` \n`   |- Number of jail:  1` \n``    `- Jail list:       dovecot ``\n\nYou should have gotten an email from the service with the subject\n\"**\\[Fail2Ban\\] dovecot: started**\". Check `/var/log/messages` for\nbanned IPs\n\n\n\n" }, { "authorEmail": "mail@nikhil.io", "authorName": "Nikhil Anand", "date": "2015-12-20T19:56:35Z", "id": "9d7ba8bb8870e1d9afa51436c52f2a0335cfaaa3", "shortId": "9d7ba8bb", "subject": "Fail2Ban for Dovecot : v2\n", "content": "Installation\n------------\n\n`   yum install fail2ban` \n`   chkconfig fail2ban on`\n\nConfiguration\n-------------\n\nNow add this to `/etc/fail2ban/jail.conf`. Change the `sender` email.\n\n`   [dovecot]` \n`   enabled  = true` \n`   filter   = dovecot` \n`   action   = iptables-multiport[name=dovecot, port=\"pop3,pop3s,imap,imaps\", protocol=tcp]` \n`              sendmail-whois[name=dovecot, dest=root, sender=fail2ban@example.com]` \n`   logpath  = /var/log/maillog` \n`   maxretry = 10` \n`   findtime = 1200` \n`   bantime  = -10`\n\nSee [the\nmanual](http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Jail_Options)\nfor an explanation of the options. In this configuration, anyone\nattempting to authenticate unsuccessfully 10 times will be banned\npermanently.\n\nFail2Ban will try looking for a configuration/filter file called\n\"`dovecot.conf`\" in the filters directory, `/etc/fail2ban/filters.d`.\nCreate it and add this if it doesn't exist for some reason:\n\n`   [Definition]` \n`   failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \\(auth failed|Aborted login \\(tried to use disabled|Disconnected \\(auth failed).*rip=(?P``\\S*),.*` \n`   ignoreregex =`\n\nTesting\n-------\n\nFail2Ban comes with a handy-dandy regex testing tool.\n\n`   fail2ban-regex /vaar/log/maillog /etc/fail2ban/filter.d/dovecot.conf`\n\nYou should issue `iptables -L` to verify that there's a Fail2Ban chain.\nNow `telnet` to the POP3 port from another machine and try logging in\nwith some junk.\n\n`   Trying 198.81.129.107...` \n`   Connected to example.com (198.81.129.107).` \n`   Escape character is '^]'.` \n`   +OK Hello. Please be nice.` \n`   `**`user` `hahahaha`** \n`   -ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections.`\n\nYou'll see a bunch of these in `/var/log/maillog`:\n\n`   Sep 17 15:05:14 user dovecot: pop3-login: Aborted login (tried to use disabled plaintext auth): rip=72.21.81.85, lip=198.81.129.107`\n\nWhen you see 10 of them, wait a bit. You'll see an email from Fail2Ban\ninforming you that it's blocked an IP. To verify, issue\n`iptables -L -n`. You'll see this somewhere:\n\n`   Chain fail2ban-dovecot (1 references)` \n`   target     prot opt source               destination` \n`   DROP       all  --  72.21.81.85        0.0.0.0/0`\n\nNice. To unban, just remove the rule from the chain:\n\n`   iptables -D fail2ban-dovecot -s 72.21.81.85 -j DROP`\n\nUsing the Service\n-----------------\n\n`   service fail2ban start`\n\nCheck its status\n\n`   [root@example ~]# service fail2ban status` \n`   Fail2ban (pid 15919) is running...` \n`   Status` \n`   |- Number of jail:  1` \n``    `- Jail list:       dovecot ``\n\nYou should have gotten an email from the service with the subject\n\"**\\[Fail2Ban\\] dovecot: started**\". Check `/var/log/messages` for\nbanned IPs\n\n[Category: Nikhil's Notes](Category:_Nikhil's_Notes \"wikilink\")\n[Category: Installation Logs](Category:_Installation_Logs \"wikilink\")\n" }, { "authorEmail": "mail@nikhil.io", "authorName": "Nikhil Anand", "date": "2015-12-20T19:56:34Z", "id": "9f6890c3ac421eb5f798e66bf20297240036e7bf", "shortId": "9f6890c3", "subject": "Fail2Ban for Dovecot : First Draft\n", "content": "Installation\n------------\n\n`   yum install fail2ban` \n`   chkconfig fail2ban on`\n\nConfiguration\n-------------\n\nNow add this to `/etc/fail2ban/jail.conf`. Change the `sender` email.\n\n`   [dovecot]` \n`   enabled  = true` \n`   filter   = dovecot` \n`   action   = iptables-multiport[name=dovecot, port=\"pop3,pop3s,imap,imaps\", protocol=tcp]` \n`              sendmail-whois[name=dovecot, dest=root, sender=fail2ban@example.com]` \n`   logpath  = /var/log/maillog` \n`   maxretry = 10` \n`   findtime = 1200` \n`   bantime  = -10`\n\nSee [the\nmanual](http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Jail_Options)\nfor an explanation of the options. In this configuration, anyone\nattempting to authenticate unsuccessfully 10 times will be banned\npermanently.\n\nFail2Ban will try looking for a configuration/filter file called\n\"`dovecot.conf`\" in the filters directory, `/etc/fail2ban/filters.d`.\nCreate it and add this if it doesn't exist for some reason:\n\n`   [Definition]` \n`   failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \\(auth failed|Aborted login \\(tried to use disabled|Disconnected \\(auth failed).*rip=(?P``\\S*),.*` \n`   ignoreregex =`\n\nTesting\n-------\n\nFail2Ban comes with a handy-dandy regex testing tool.\n\n`   fail2ban-regex /vaar/log/maillog /etc/fail2ban/filter.d/dovecot.conf`\n\nUsing the Service\n-----------------\n\n`   service fail2ban start`\n\nCheck its status\n\n`   [root@example ~]# service fail2ban status` \n`   Fail2ban (pid 15919) is running...` \n`   Status` \n`   |- Number of jail:  1` \n``    `- Jail list:       dovecot ``\n\nYou should have gotten an email from the service with the subject\n\"**\\[Fail2Ban\\] dovecot: started**\". Check `/var/log/messages` for\nbanned IPs\n\n[Category: Nikhil's Notes](Category:_Nikhil's_Notes \"wikilink\")\n[Category: Installation Logs](Category:_Installation_Logs \"wikilink\")\n" } ], "sizeInBytes": 2823, "source": "## Installation\n\n yum install fail2ban\n chkconfig fail2ban on\n\n## Configuration\n\nNow add this to `/etc/fail2ban/jail.conf`. Change the `sender` email.\n\n [dovecot]\n enabled  = true\n filter   = dovecot\n action   = iptables-multiport[name=dovecot, port=\"pop3,pop3s,imap,imaps\", protocol=tcp]\n            sendmail-whois[name=dovecot, dest=root, sender=fail2ban@example.com]\n logpath  = /var/log/maillog\n maxretry = 10\n findtime = 1200\n bantime  = -10\n\nSee [the manual](http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Jail_Options) for an explanation of the options. In this configuration, anyone attempting to authenticate unsuccessfully 10 times will be banned permanently.\n\nFail2Ban will try looking for a configuration/filter file called \"`dovecot.conf`\" in the filters directory, `/etc/fail2ban/filters.d`.\nCreate it and add this if it doesn't exist for some reason:\n\n [Definition]\n failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \\(auth failed|Aborted login \\(tried to use disabled|Disconnected \\(auth failed).*rip=(?P\\S*),.*\n ignoreregex =\n\n## Testing\n\nFail2Ban comes with a handy-dandy regex testing tool.\n\n fail2ban-regex /vaar/log/maillog /etc/fail2ban/filter.d/dovecot.conf\n\nYou should issue `iptables -L` to verify that there's a Fail2Ban chain. Now `telnet` to the POP3 port from another machine and try logging in with some junk.\n\n Trying 198.81.129.107...\n Connected to example.com (198.81.129.107).\n Escape character is '^]'.\n +OK Hello. Please be nice.\n user hahahaha**\n -ERR Plaintext authentication disallowed on non-secure (SSL/TLS) connections.\n\nYou'll see a bunch of these in `/var/log/maillog`:\n\n Sep 17 15:05:14 user dovecot: pop3-login: Aborted login (tried to use disabled plaintext auth): rip=72.21.81.85, lip=198.81.129.107\n\nWhen you see 10 of them, wait a bit. You'll see an email from Fail2Ban informing you that it's blocked an IP. To verify, issue `iptables -L -n`. You'll see this somewhere:\n\n Chain fail2ban-dovecot (1 references)\n target     prot opt source               destination\n DROP       all  --  72.21.81.85        0.0.0.0/0\n\nNice. To unban, just remove the rule from the chain:\n\n iptables -D fail2ban-dovecot -s 72.21.81.85 -j DROP\n\n## Using the Service\n\n service fail2ban start\n\nCheck its status\n\n [root@example ~]# service fail2ban status\n Fail2ban (pid 15919) is running...\n Status\n |- Number of jail:  1\n `- Jail list:       dovecot\n\nYou should have gotten an email from the service with the subject \"**\\[Fail2Ban\\] dovecot: started**\". Check `/var/log/messages` for banned IPs\n", "title": "Fail2Ban for Dovecot", "untracked": false, "uri": "/Fail2Ban_for_Dovecot", "relativePath": "Fail2Ban for Dovecot.md" }