Mail Server Templates
Protection templates for mail servers (non-Docker). For Mailcow Docker installations, see Mailcow Templates.
postfix
Postfix SMTP authentication failures.
| Setting | Default |
|---|---|
| Port | 25, 465, 587 |
| Log Path | /var/log/mail.log |
| Max Retry | 5 |
| Find Time | 10 minutes |
| Ban Time | 1 hour |
Detected Patterns
- SASL authentication failures
- Rejected RCPT (recipient) attempts
postfix-sasl
More specific SASL authentication failure detection.
| Setting | Default |
|---|---|
| Port | 25, 465, 587, 143, 993, 110, 995 |
| Log Path | /var/log/mail.log |
| Max Retry | 3 |
| Find Time | 10 minutes |
| Ban Time | 1 hour |
Detected Patterns
SASL auth failures on:
- Submission (port 587)
- SMTPS (port 465)
- SMTP (port 25)
Authentication methods:
- LOGIN
- PLAIN
- CRAM-MD5
- DIGEST-MD5
When to Use
Use postfix-sasl instead of postfix when:
- You want stricter SASL-specific protection
- You need to protect both SMTP and IMAP/POP3 ports
dovecot
Dovecot IMAP/POP3 authentication failures.
| Setting | Default |
|---|---|
| Port | 110, 143, 587, 465, 993, 995 |
| Log Path | /var/log/mail.log |
| Max Retry | 3 |
| Find Time | 10 minutes |
| Ban Time | 1 hour |
Detected Patterns
- Aborted login
- Disconnected (auth failed)
- Authentication failures
Log Path Configuration
Debian/Ubuntu
logpath: /var/log/mail.log
RHEL/CentOS
logpath: /var/log/maillog
With rsyslog Separation
If you've configured separate mail logs:
# Postfix
logpath: /var/log/mail/postfix.log
# Dovecot
logpath: /var/log/mail/dovecot.log
Recommended Configuration
Public Mail Server
Mail servers are heavily targeted. Use strict settings:
# postfix-sasl
maxretry: 3
findtime: 10m
bantime: 24h
# dovecot
maxretry: 3
findtime: 10m
bantime: 24h
Enable Both SMTP and IMAP Protection
Always enable both:
postfix-sasl- SMTP authenticationdovecot- IMAP/POP3 authentication
Attackers often try both protocols.
Combine with recidive
Repeat mail attackers should face escalating bans:
- First ban: 24 hours
- Recidive (3 bans): 1 week