Fail2ban is installed but are you getting alerts? Learn how to configure fail2ban for iRedMail, fix broken jails, and set up real-time notifications via email and Telegram.
Your iRedMail server is being attacked. Right now. Open your mail logs and you’ll see a constant stream of failed login attempts, dictionary attacks, and botnet probes.
It’s not paranoia—it’s the reality of running an email server on the public internet.
You have fail2ban installed (iRedMail includes it by default), but is it working? Are you getting alerts when IPs get banned? Do you even know which jails are active?
Most administrators assume fail2ban is protecting them. But without proper configuration and real-time alerts, you’re flying blind.
In this guide, I’ll show you how to audit your fail2ban setup, fix broken jails, and set up instant notifications so you know about attacks the moment they happen—not days later when you check your logs.
Understanding iRedMail’s Fail2ban Jails
iRedMail configures multiple jails targeting different services:
| Jail | Purpose | Log File |
|---|---|---|
sshd | SSH brute force | /var/log/secure |
postfix | SMTP auth failures | /var/log/maillog |
postfix-burst | Rapid email sending | /var/log/maillog |
dovecot | IMAP/POP3 auth failures | /var/log/maillog |
roundcube | Webmail login attempts | /var/log/nginx/roundcubemail.log |
recidive | Repeat offenders (persistent ban) | All logs |
Step 1: Check Your Current Fail2ban Status
# Check if fail2ban is running
sudo systemctl status fail2ban
# List all active jails
sudo fail2ban-client status
# Check a specific jail
sudo fail2ban-client status sshd
sudo fail2ban-client status postfixExample output:
Status for the jail: sshd
|- Filter
| |- Currently failed: 2
| |- Total failed: 145
| `- File list: /var/log/secure
`- Actions
|- Currently banned: 3
|- Total banned: 12
`- Banned IP list: 185.42.188.59 45.155.205.233 193.188.22.221Step 2: Fix Broken Jails
Common Issue: Missing Services
If you removed a service (like cockpit), its fail2ban jail will break:
# Search for errors
sudo tail -20 /var/log/fail2ban.log
# Example error:
ERROR Found no accessible config files for 'filter.d/cockpit'Fix: Disable the broken jail:
sudo nano /etc/fail2ban/jail.localSet enabled = false for the broken jail:
[cockpit]
enabled = falseCommon Issue: Wrong Log Path
# Check jails that can't find log files
sudo fail2ban-client status | grep "Jail list"Fix: Update the log path:
sudo nano /etc/fail2ban/jail.d/iredmail.local[roundcube]
enabled = true
logpath = /var/log/nginx/roundcubemail.log # Verify this path existsStep 3: Test Your Jails
Manual Ban Test
# Ban a test IP (use a harmless IP like 192.0.2.1)
sudo fail2ban-client set sshd banip 192.0.2.1
# Verify it was banned
sudo fail2ban-client status sshd | grep "Banned IP list"
# Unban the test IP
sudo fail2ban-client set sshd unbanip 192.0.2.1Simulate Failed Login
For SSH:
# From another machine or use a different user
ssh fakeuser@yourdomain.com
# Enter wrong password 3+ timesFor SMTP:
openssl s_client -connect mail.yourdomain.com:465 -crlf
# Then send wrong credentialsCheck if fail2ban triggers:
sudo tail -f /var/log/fail2ban.logStep 4: Configure Email Alerts
Enable Email Notifications
Edit your jail configuration:
sudo nano /etc/fail2ban/jail.localAdd or modify:
[DEFAULT]
destemail = admin@yourdomain.com
sendername = fail2ban
mta = sendmail
action = %(action_mwl)s[sshd]
enabled = true action = %(action_mwl)s
[postfix]
enabled = true action = %(action_mwl)s
Install Sendmail (if not installed)
sudo dnf install sendmail sendmail-cf -y
sudo systemctl enable sendmail
sudo systemctl start sendmailTest Email Alert
sudo fail2ban-client set sshd banip 192.0.2.1
# Check your email for the notification
sudo fail2ban-client set sshd unbanip 192.0.2.1Step 5: Configure Telegram Alerts (Real-Time)
Email is good, but push notifications are better.
Create a Telegram Bot
- Open Telegram and search for
@BotFather - Send:
/newbot - Name your bot:
Your Server Alerts - Username:
your_server_alerts_bot - Save the token (looks like:
7234567890:AAGkFjKf-9f8KJHG8)
Get Your Chat ID
- Search for
@userinfobotin Telegram - Send
/start - Save your chat ID (a number like
123456789)
Create Fail2ban Action
sudo mkdir -p /etc/fail2ban/action.d/
sudo nano /etc/fail2ban/action.d/telegram.conf[Definition]
actionstart =
actionstop =
actioncheck =
actionban = curl -s -X POST "https://api.telegram.org/bot<YOUR_TOKEN>/sendMessage" -d "chat_id=<YOUR_CHAT_ID>" -d "text=🚨 FAIL2BAN: <name> banned <ip> for <failures> failures" -d "parse_mode=HTML"
actionunban = curl -s -X POST "https://api.telegram.org/bot<YOUR_TOKEN>/sendMessage" -d "chat_id=<YOUR_CHAT_ID>" -d "text=✅ FAIL2BAN: <name> unbanned <ip>"
[Init]
name = telegramEnable Telegram for Jails
sudo nano /etc/fail2ban/jail.localAdd under [sshd] and [postfix]:
action = telegram[name="SSH"]Restart fail2ban:
sudo systemctl restart fail2banStep 6: Configure ntfy.sh Push Notifications (Simpler Alternative)
ntfy.sh is even easier than Telegram—no bot creation required.
Install ntfy client
sudo dnf install curl -yCreate the action
sudo nano /etc/fail2ban/action.d/ntfy.conf[Definition]
actionban = curl -H "Title: 🚨 Fail2ban Alert" -H "Priority: high" -H "Tags: warning" -d "<name> banned <ip> for <failures> failures" https://ntfy.sh/YOUR-TOPIC-NAME
actionunban = curl -H "Title: ✅ Fail2ban Unban" -H "Priority: low" -d "<name> unbanned <ip>" https://ntfy.sh/YOUR-TOPIC-NAMEInstall ntfy App
- Download ntfy from ntfy.sh (iOS/Android)
- Subscribe to
YOUR-TOPIC-NAME
Test
curl -H "Title: Test" -d "Fail2ban is monitoring your server" https://ntfy.sh/YOUR-TOPIC-NAMEStep 7: Advanced Fail2ban Configuration
Whitelist Your IP
Prevent yourself from being banned:
sudo fail2ban-client set sshd addignoreip YOUR_IP_ADDRESS
sudo fail2ban-client set postfix addignoreip YOUR_IP_ADDRESSPermanent whitelist (in jail.local):
[DEFAULT]
ignoreip = 127.0.0.1/8 YOUR_IP_ADDRESSAdjust Ban Times
[DEFAULT]
bantime = 3600 # 1 hour (default)
findtime = 600 # 10 minute window
maxretry = 5 # 5 failures before ban[recidive]
bantime = 604800 # 1 week for repeat offenders
Create Custom Jail
Example: Block IPs scanning for WordPress:
sudo nano /etc/fail2ban/jail.d/wordpress.conf[wordpress]
enabled = true
port = http,https
filter = wordpress
logpath = /var/log/nginx/access.log
maxretry = 3
bantime = 3600Step 8: Monitoring and Reporting
Daily Report Script
sudo nano /usr/local/bin/fail2ban-report.sh#!/bin/bash
# Daily fail2ban report
echo "=========================================="
echo "FAIL2BAN REPORT - $(hostname)"
echo "Date: $(date)"
echo "=========================================="
echo ""
for JAIL in $(sudo fail2ban-client status | grep "Jail list" | cut -d: -f2 | tr -d ' ' | tr ',' ' '); do
echo "=== $JAIL ==="
sudo fail2ban-client status $JAIL | grep -E "Currently banned|Total banned|Banned IP list"
echo ""
doneMake it executable and add to cron:
sudo chmod +x /usr/local/bin/fail2ban-report.sh
sudo crontab -eAdd:
0 6 * * * /usr/local/bin/fail2ban-report.sh | mail -s "Fail2ban Daily Report" admin@yourdomain.comTroubleshooting
| Issue | Solution |
|---|---|
| Fail2ban not starting | Check config: sudo fail2ban-client -t |
| No emails received | Check mail service: systemctl status sendmail |
| Telegram not working | Test curl: curl -X POST "https://api.telegram.org/botTOKEN/getMe" |
| IP not being banned | Check maxretry and findtime settings |
| Too many false positives | Whitelist trusted IPs or increase maxretry |
Conclusion
Fail2ban is your first line of defense against automated attacks. With this configuration:
- ✅ All critical services are monitored
- ✅ Broken jails are fixed
- ✅ Real-time notifications via email and Telegram
- ✅ Repeat offenders get longer bans
- ✅ Daily reports keep you informed
Your iRedMail server is now actively defended and you’ll know about attacks immediately.