feat: ajout Fail2ban pour protection Dovecot IMAPS/POP3S (993/995)

Configuration :
- docker/fail2ban/jail.local : jail dovecot uniquement sur ports 993,995,
  bantime 1h, findtime 10min, maxretry 5 tentatives
- docker/fail2ban/filter.d/dovecot.conf : regex pour auth failed,
  disconnected, aborted login (IMAP + POP3)

Docker :
- Image crazymax/fail2ban, network_mode host (accès iptables),
  cap_add NET_ADMIN + NET_RAW pour manipuler les règles firewall
- Volume dovecot-logs partagé en lecture seule pour lire les logs Dovecot
- Volume fail2ban-data pour persister la DB des bans

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docker-compose-dev.yml

@@ -235,6 +235,20 @@ services:
       retries: 5
       start_period: 120s
 
+  fail2ban:
+    image: crazymax/fail2ban:latest
+    container_name: crm_siteconseil_fail2ban
+    restart: unless-stopped
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+    network_mode: host
+    volumes:
+      - ./docker/fail2ban/jail.local:/etc/fail2ban/jail.local:ro
+      - ./docker/fail2ban/filter.d/dovecot.conf:/etc/fail2ban/filter.d/dovecot.conf:ro
+      - fail2ban-data:/var/lib/fail2ban
+      - dovecot-logs:/var/log/dovecot:ro
+
 volumes:
   db-data:
   redis-data:
@@ -245,3 +259,5 @@ volumes:
   postfix-data:
   rspamd-data:
   clamav-data:
+  fail2ban-data:
+  dovecot-logs:

docker/fail2ban/filter.d/dovecot.conf

@@ -0,0 +1,8 @@
+[Definition]
+failregex = ^.*auth-worker.*Error:.*user=<.*>.*rip=<HOST>.*$
+            ^.*imap-login:.*Disconnected.*\(auth failed.*\).*rip=<HOST>.*$
+            ^.*pop3-login:.*Disconnected.*\(auth failed.*\).*rip=<HOST>.*$
+            ^.*imap-login:.*Aborted login.*rip=<HOST>.*$
+            ^.*pop3-login:.*Aborted login.*rip=<HOST>.*$
+
+ignoreregex =

docker/fail2ban/jail.local

@@ -0,0 +1,14 @@
+[DEFAULT]
+bantime = 3600
+findtime = 600
+maxretry = 5
+backend = auto
+
+[dovecot]
+enabled = true
+port = 993,995
+filter = dovecot
+logpath = /var/log/dovecot/dovecot.log
+maxretry = 5
+bantime = 3600
+findtime = 600