add fail2ban rules

etc/fail2ban/action.d/mail-ratelimit.conf

@@ -0,0 +1,60 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+#
+
+[Definition]
+
+# bypass ban/unban for restored tickets
+norestored = 1
+
+# Option:  actionstart
+# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
+# Values:  CMD
+#
+actionstart = 
+
+# Option:  actionstop
+# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
+# Values:  CMD
+#
+actionstop = 
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = printf %%b "Hi,\n
+            An email account exceeded it's rate limit:\n
+            \n
+            <matches>
+            \n
+            Regards,\n
+            Fail2Ban"|mail -s "[Fail2Ban] <name>" <dest>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = 
+
+[Init]
+
+# Default name of the chain
+#
+name = exim-ratelimit
+
+# Destination/Addressee of the mail
+#
+dest = postmaster

etc/fail2ban/filter.d/exim-hard.conf

@@ -0,0 +1,26 @@
+# Fail2Ban configuration file
+#
+# Author: Matthew Saunders Brown
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+#failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address)
+
+failregex = .*\(ylmf-pc\) \[<HOST>\].*rejected EHLO or HELO ylmf-pc
+            .*rejected RCPT.*\: <HOST> is listed in.*
+            .*dovecot_.* authenticator failed for.*\((server\.com|User|USER|ADMIN)\) \[<HOST>\]:.* 535 Incorrect authentication data.*
+            .*dovecot_.* authenticator failed for.*\((server\.com|User|USER|ADMIN)\) \[<HOST>\]:.* 435 Unable to authenticate.*
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =

etc/fail2ban/filter.d/exim-ratelimit.conf

@@ -0,0 +1,24 @@
+# Fail2Ban configuration file
+#
+# Author: Matthew Saunders Brown
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+#failregex = \[<HOST>\] .*(?:rejected by local_scan|Unrouteable address)
+# 2022-01-11 02:17:34.576 [2506437] H=162-246-128-31.merlin.ua ([127.0.0.1]) [31.128.246.162]:54324 I=[69.55.235.148]:587 X=TLS1.0:ECDHE_SECP521R1__RSA_SHA1__AES_256_CBC__SHA1:256 CV=no F=<valexcel@inetworld.net> A=dovecot_plain:valexcel@inetworld.net rejected RCPT <christopher2504@gmx.de>: valexcel@inetworld.net exceeded rate limit of 120 per hour
+
+failregex = .* \[<HOST>\]:.* exceeded rate limit of .*
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =

etc/fail2ban/jail.d/dovecot.conf

@@ -0,0 +1,5 @@
+[dovecot]
+enabled = true
+port    = imap2,imap3,imaps,pop3,pop3s
+filter  = dovecot
+logpath = /var/log/mail.log tail

etc/fail2ban/jail.d/exim-hard.conf

@@ -0,0 +1,7 @@
+[exim-hard]
+enabled  = true
+port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,submission
+filter   = exim-hard
+logpath  = /var/log/exim4/rejectlog tail
+maxretry = 1
+bantime  = 86400

etc/fail2ban/jail.d/exim-ratelimit.conf

@@ -0,0 +1,9 @@
+[exim-ratelimit]
+enabled  = true
+port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,submission
+filter   = exim-ratelimit
+action   = mail-ratelimit
+logpath  = /var/log/exim4/rejectlog tail
+maxretry = 1
+findtime = 60
+bantime  = 3600

etc/fail2ban/jail.d/exim.conf

@@ -0,0 +1,5 @@
+[exim]
+enabled  = true
+port     = smtp,465,submission
+filter   = exim
+logpath  = /var/log/exim4/rejectlog tail

install.sh

@@ -160,4 +160,37 @@ chmod 644 /usr/local/lib/systemd/system/vmail-cron.*
 systemctl enable vmail-cron.timer
 systemctl start vmail-cron.timer
 
-# notes about firewalls
+# enable email ports in firewalld
+[[ -d /etc/firewalld/ ]]; then
+  firewall-cmd --permanent --zone=public --add-service=smtp
+  firewall-cmd --permanent --zone=public --add-service=smtp-submission
+  firewall-cmd --permanent --zone=public --add-service=smtps
+  firewall-cmd --permanent --zone=public --add-service=imap
+  firewall-cmd --permanent --zone=public --add-service=imaps
+  firewall-cmd --permanent --zone=public --add-service=pop3
+  firewall-cmd --permanent --zone=public --add-service=pop3s
+  firewall-cmd --zone=public --add-service=smtp
+  firewall-cmd --zone=public --add-service=smtp-submission
+  firewall-cmd --zone=public --add-service=smtps
+  firewall-cmd --zone=public --add-service=imap
+  firewall-cmd --zone=public --add-service=imaps
+  firewall-cmd --zone=public --add-service=pop3
+  firewall-cmd --zone=public --add-service=pop3s
+else
+  echo
+  echo "firewalld not installed, not opening email ports in firewall."
+fi
+
+# fail2ban
+if [[ -d /etc/fail2ban/ ]]; then
+  chmod 644 etc/fail2ban/*/*.conf
+  cp -a etc/fail2ban/* /etc/fail2ban/
+  sed -i "s|postmaster|postmaster@$maildomain|g" /etc/fail2ban/action.d/mail-ratelimit.conf
+  echo
+  echo "Fail2ban rate limit will email postmaster@$maildomain."
+  echo "Change postmaster@$maildomain in /etc/fail2ban/action.d/mail-ratelimit.conf to suit your needs."
+else
+  echo
+  echo "fail2ban not installed, skipping fail2ban email configs."
+
+fi