Yeah. I don't know what I was thinking when I made it work like that.
I know what you were thinking: if dovecot is writing to a log such as
"mylogfile.log", and other utilities are also writing to
"mylogfile.log", it's good to know which lines are dovecot.
But I am satisfied with using syslog logging; it just should be recorded
somewhere that syslog is required for compatibility with Fail2Ban. I
tried to edit wiki.dovecot.org with this information, but was too
incompetent to figure out how to add a page. If I had to create a page
with Fail2Ban instructions, it would look like:
1) Make sure that /etc/dovecot.conf does not have any “log_path”
variable set. We need dovecot.conf to use the default system logging so
the log is written in a format that fail2ban can work with.
2) Create the filter file /etc/fail2ban/filter.d/dovecot-pop3imap.conf:
[Definition]
failregex = (?: pop3-login|imap-login): (?:Authentication
failure|Aborted login \(auth failed|Disconnected \(auth
failed).*rip=(?P<host>\S*),.*
ignoreregex =
3) Add the following to /etc/fail2ban/jail.conf:
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap",
protocol=tcp]
logpath = /var/log/maillog
maxretry = 20
findtime = 1200
bantime = 1200
