Secure Courier-IMAP POP3/IMAP (Plesk) against brute forcing

This article outlines the process of configuring Fail2Ban to secure a Plesk server running Courier-IMAP as its IMAP and POP3 server against brute forcing.

Prerequisite: This article expects that you have already completed the installation of Fail2Ban as outlined here.

Once you have completed the installation of Fail2Ban –

1. Edit /etc/fail2ban/filter.d/courierlogin.conf using nano.

nano -w /etc/fail2ban/filter.d/courierlogin.conf

And change: “LOGIN FAILED, .*, ip=\[< HOST >\]$”

To: “LOGIN FAILED, ip=\[< HOST >\]$”

2. Add the following configuration to /etc/fail2ban/jail.conf:

[courierimap-iptables]
enabled = true filter = courierlogin
action = iptables-multiport[name=IMAP, port=”110,995,143,993″]
sendmail-whois[name=IMAP, [email protected], [email protected]]
logpath = /usr/local/psa/var/log/maillog
maxretry = 5

Note: port= needs to include any ports which you are running POP3 or IMAP dameons on. The defaults are POP3 ports 110 (non-secure) and 995 (secure) and IMAP ports 143 (non-secure) and 993 (secure. Be sure to change the dest= and sender= variables as well.

Note: /usr/local/psa/var/log/maillog is the default mail log location for Plesk 8.x and Plesk 9.x servers.

3. Restart fail2ban:

/etc/init.d/fail2ban restart

Your server is now protected against brute force attempts against your email service ports. Any remote host which fails to login more than 5 times will be automatically blocked.

WARNING: Please make sure you have 127.0.0.1 listed in your ignore list in /etc/fail2ban/jail.conf, e.g. ignoreip = 127.0.0.1,.