Added postfix and dovecot for fail2ban

[Spitfireap]

Not tested yet.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 50.07%. Comparing base (63d92b7) to head (3113eaf).
⚠️ Report is 289 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #476   +/-   ##
=======================================
  Coverage   50.07%   50.07%           
=======================================
  Files          10       10           
  Lines         681      681           
=======================================
  Hits          341      341           
  Misses        340      340           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[xinomilo]

port 587 , can also be written as "submission". so you could use :
"default": "http,https,pop3,pop3s,imap,imaps,submission"
( just for the looks of it, doesn't make any difference :) )

also filter names in jail.d/[doveot|postfix].conf should be "dovecot-modoboa" and "postfix-modoboa"

edit] actually, filters dovecot-modoboa.conf and postfix-modoboa.conf are identical with fail2ban defaults dovecot.conf and postifx.conf, so maybe those are not needed at all.. just use fail2ban defaults (?)
(compared to filters shipped with fail2ban 0.11.2-2 in Debian 11.9)

[almereyda]

The [postfix], [modoboa] and [dovecot] sections all specify the same ports = %ports_blocked setting.

It may be good to split ports_blocked into dedicated constants for postfix_ports_blocked (smtps,submission), modoboa_ports_blocked (http,https) and dovecot_ports_blocked (pop3,pop3s,imap,imaps). This could help not setting ports on applications which don't effectively use them.

Since RFC 8314 the SMTPS port 465 with implicit TLS is the default MTA entrypoint. This means smtps would have to be added to postfix_ports_blocked.

Further I agree to use the default, packaged configuration files and remove them here, if they are not to be altered.

[almereyda]

About RFC 8314, also see #564 .

[almereyda]

This variable seems overloaded with specifics, and might be split into

• ports_blocked_mta: smtp,smtps,ssmtp,submission,submissions
• ports_blocked_mda: pop3,pop3s,imap,imaps
• ports_blocked_web: http,https

and be applied separately in the places where used.

[almereyda]

I'm using this:

[dovecot]
enabled = true
port = imap,imaps,pop3,pop3s
maxretry = 3
bantime = 1h
findtime = 1h
filter = dovecot[mode=aggressive]
logpath = /var/log/mail.log
ignoreip = ::1 127.0.0.1/8

How to find sane defaults?

[almereyda]

This seems to work:

[postfix]
enabled = true
port = smtp,ssmtp,smtps,submission,submissions
maxretry = 3
bantime = 1h
findtime = 1h
filter = postfix[mode=aggressive]
logpath = /var/log/mail.log
ignoreip = ::1 127.0.0.1/8

[almereyda]

Suggested change

	# Author: Cyril Jaquier
	# Author: Cyril Jaquier

[almereyda]

How can we test that fail2ban rules are successfully applied to network filter tables?

When instead using default packaged jails.d configuration for Dovecot and Postfix, we should validate that they exist in all supported distributions.