From 0c6cc875edbafbcab76002edf8c88c4e5eae07f1 Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com> Date: Sat, 2 Aug 2025 13:02:37 +0200 Subject: [PATCH] chore: disable F2B `postfix-sasl` jail Signed-off-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com> --- CHANGELOG.md | 5 +++++ docs/content/config/security/fail2ban.md | 9 +++++++++ target/fail2ban/jail.local | 3 --- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0acc374e..d67b7d16 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -34,6 +34,11 @@ All notable changes to this project will be documented in this file. The format - Refactored `setup config dkim` (`open-dkim`) ([#4375](https://github.com/docker-mailserver/docker-mailserver/pull/4375)) - `setup email list` and the default `ENABLE_QUOTAS=1` ENV now better communicates when config is incompatible ([#4453](https://github.com/docker-mailserver/docker-mailserver/pull/4453)) +### Removed + +- **Fail2Ban** + - Removed `postfix-sasl` jail by default as it is covered by `postfix[mode=extra]` already ([#4529](https://github.com/docker-mailserver/docker-mailserver/pull/4529)) + ## [v15.0.2](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v15.0.2) ### Fixes diff --git a/docs/content/config/security/fail2ban.md b/docs/content/config/security/fail2ban.md index 8efb2fca..54bde243 100644 --- a/docs/content/config/security/fail2ban.md +++ b/docs/content/config/security/fail2ban.md @@ -78,6 +78,15 @@ This following configuration files inside the `docker-data/dms/config/` volume w [github-file-f2bjail]: https://github.com/docker-mailserver/docker-mailserver/blob/master/config-examples/fail2ban-jail.cf [github-file-f2bconfig]: https://github.com/docker-mailserver/docker-mailserver/blob/master/config-examples/fail2ban-fail2ban.cf +### SASL + +The `postfix` jail comes with `mode=extra` by default, which covers SASL login errors for our default SASL provider. Hence, the `postfix-sasl` jail has been disabled. If you switch to another SASL provider (e.g., SASLauthd), you may want to turn the `postfix-sasl` jail back on: + +```ini title="docker-data/dms/config/fail2ban-jail.cf" +[postfix-sasl] +enabled = true +``` + ### Viewing All Bans When just running diff --git a/target/fail2ban/jail.local b/target/fail2ban/jail.local index 6866ddf3..41e9fbe1 100644 --- a/target/fail2ban/jail.local +++ b/target/fail2ban/jail.local @@ -29,9 +29,6 @@ enabled = true # https://github.com/docker-mailserver/docker-mailserver/issues/3256#issuecomment-1511188760 mode = extra -[postfix-sasl] -enabled = true - # This jail is used for manual bans. # To ban an IP address use: setup.sh fail2ban ban [custom]