I am currently in the process of building a new server so have been
investigating and implementing current solutions, including the latest Dovecot
2.4.x (with its significant change to config syntax which has been fun!) and
Rspamd + Valkey (Redis replacement).
Thinking about SPAM and the process flow I drew up the following diagram. I’m
building a personal domain mail server (not a business or commercial setup) so
Fail2Ban is, I believe, a worthwhile addition.
\---------------------------------------/
\ (1) / Fail2Ban
\-------------------------------/
\ (2) / Postscreen
\-----------------------/
\ (3) / Postfix *_restrictions
\---------------/
\ (4) / Rspamd
\-------/
| | |
| V |
Dovecot mail store
The funnel analogy has a dual purpose which covers the concepts of progression
and (for the most part) reduction in mail volume.
(1) Fail2Ban is the first 'level', it doesn't reduce/affect the total volume
of mail but blocks a percentage of known, previous, offenders. Which, of
course, has the benefit that the next layer has less to deal with.
Blocking happens via firewall rules — so the external server does not even
get anywhere near Postfix. Fail2Ban looks at rejected servers in logs, so
it is Postfix and/or Rspamd which is saying the external server (IP) is
undesirable, not Fail2Ban. I (personally) categorise offenders as nuisance
(i.e. SPAM) or malicious (trying to break into accounts). For malicious
attackers I tend to make the ban period longer.
(2) Postscreen is a very valuable (1st layer for Postfix) layer which has a
good cost/benefit ratio. It can block out ~80%, or more, of junk server
connections with minimal overhead.
(3) For connections which get past Postscreen more focused and restrictive
Postfix checks can be brought to bear filtering out badly behaved servers.
(4) By the time servers get to Rspamd — the most demanding and intensive part
of the pipeline — the number getting through should have been significantly
reduced. Rspamd can, depending on the action scoring thresholds, reject an
email or tag it as possible SPAM.
(5) Dovecot can then, via Sieve filtering on all incoming email, automatically
file an email into the /Junk folder.
The above is how I (currently) understand each piece of the anti-spam
‘pipeline’ works.
Regards
__________________
Patrick
> On 10 Mar 2026, at 15:38, Phil Stracchino via Postfix-users
> <[email protected]> wrote:
>
> On 3/10/26 10:30, Ralph Seichter via Postfix-users wrote:
>> * Gary R. Schmidt via Postfix-users:
>>> Turn on postscreen and add fail2ban.
>> Postscreen: yes! Fail2ban: That's a divisive subject.
>> In my experience, Fail2ban can screw people over, causing a significant
>> waste of time for users and admins. I don't think F2B is worth that.
>> Strong passwords do a lot more good than IP-based blocking, and the more
>> IPv6 use increases, the less useful F2B becomes anyway.
>> I advise against Fail2ban, unless you are very conscious of how it might
>> bite your and your users' bum.
>
>
> I consider fail2ban worthwhile *used appropriately*. Which is to say, to
> TEMPORARILY block IP addresses that are sourcing brute-force attacks against
> a service (*any* service). If your fail2ban blocks are permanent, or you're
> using it to block IPs you got mail from that you considered spam, you're
> probably using it wrong.
>
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
