From 8c6b485acd2bdbc18a58aa4fb0e080c3958a9d11 Mon Sep 17 00:00:00 2001
From: Serreau Jovann <jovann@siteconseil.fr>
Date: Fri, 3 Apr 2026 14:42:11 +0200
Subject: [PATCH] feat: ajout Fail2ban pour protection Dovecot IMAPS/POP3S
 (993/995)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Configuration :
- docker/fail2ban/jail.local : jail dovecot uniquement sur ports 993,995,
  bantime 1h, findtime 10min, maxretry 5 tentatives
- docker/fail2ban/filter.d/dovecot.conf : regex pour auth failed,
  disconnected, aborted login (IMAP + POP3)

Docker :
- Image crazymax/fail2ban, network_mode host (accès iptables),
  cap_add NET_ADMIN + NET_RAW pour manipuler les règles firewall
- Volume dovecot-logs partagé en lecture seule pour lire les logs Dovecot
- Volume fail2ban-data pour persister la DB des bans

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker-compose-dev.yml                | 16 ++++++++++++++++
 docker/fail2ban/filter.d/dovecot.conf |  8 ++++++++
 docker/fail2ban/jail.local            | 14 ++++++++++++++
 3 files changed, 38 insertions(+)
 create mode 100644 docker/fail2ban/filter.d/dovecot.conf
 create mode 100644 docker/fail2ban/jail.local

diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml
index 72ca3bc..e8fa6e2 100644
--- a/docker-compose-dev.yml
+++ b/docker-compose-dev.yml
@@ -235,6 +235,20 @@ services:
       retries: 5
       start_period: 120s
 
+  fail2ban:
+    image: crazymax/fail2ban:latest
+    container_name: crm_siteconseil_fail2ban
+    restart: unless-stopped
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+    network_mode: host
+    volumes:
+      - ./docker/fail2ban/jail.local:/etc/fail2ban/jail.local:ro
+      - ./docker/fail2ban/filter.d/dovecot.conf:/etc/fail2ban/filter.d/dovecot.conf:ro
+      - fail2ban-data:/var/lib/fail2ban
+      - dovecot-logs:/var/log/dovecot:ro
+
 volumes:
   db-data:
   redis-data:
@@ -245,3 +259,5 @@ volumes:
   postfix-data:
   rspamd-data:
   clamav-data:
+  fail2ban-data:
+  dovecot-logs:
diff --git a/docker/fail2ban/filter.d/dovecot.conf b/docker/fail2ban/filter.d/dovecot.conf
new file mode 100644
index 0000000..803a5fd
--- /dev/null
+++ b/docker/fail2ban/filter.d/dovecot.conf
@@ -0,0 +1,8 @@
+[Definition]
+failregex = ^.*auth-worker.*Error:.*user=<.*>.*rip=<HOST>.*$
+            ^.*imap-login:.*Disconnected.*\(auth failed.*\).*rip=<HOST>.*$
+            ^.*pop3-login:.*Disconnected.*\(auth failed.*\).*rip=<HOST>.*$
+            ^.*imap-login:.*Aborted login.*rip=<HOST>.*$
+            ^.*pop3-login:.*Aborted login.*rip=<HOST>.*$
+
+ignoreregex =
diff --git a/docker/fail2ban/jail.local b/docker/fail2ban/jail.local
new file mode 100644
index 0000000..7bbb63d
--- /dev/null
+++ b/docker/fail2ban/jail.local
@@ -0,0 +1,14 @@
+[DEFAULT]
+bantime = 3600
+findtime = 600
+maxretry = 5
+backend = auto
+
+[dovecot]
+enabled = true
+port = 993,995
+filter = dovecot
+logpath = /var/log/dovecot/dovecot.log
+maxretry = 5
+bantime = 3600
+findtime = 600