chore: disable F2B postfix-sasl jail (#4535)

Signed-off-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>

CHANGELOG.md

@@ -34,6 +34,11 @@ All notable changes to this project will be documented in this file. The format
   - Refactored `setup config dkim` (`open-dkim`) ([#4375](https://github.com/docker-mailserver/docker-mailserver/pull/4375))
   - `setup email list` and the default `ENABLE_QUOTAS=1` ENV now better communicates when config is incompatible ([#4453](https://github.com/docker-mailserver/docker-mailserver/pull/4453))
 
+### Removed
+
+- **Fail2Ban**
+  - Removed `postfix-sasl` jail by default as it is covered by `postfix[mode=extra]` already ([#4535](https://github.com/docker-mailserver/docker-mailserver/pull/4535))
+
 ## [v15.0.2](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v15.0.2)
 
 ### Fixes

config-examples/fail2ban-jail.cf

@@ -29,9 +29,6 @@ enabled = true
 # https://github.com/docker-mailserver/docker-mailserver/issues/3256#issuecomment-1511188760
 mode = extra
 
-[postfix-sasl]
-enabled = true
-
 # This jail is used for manual bans.
 # To ban an IP address use: setup.sh fail2ban ban <IP>
 [custom]

docs/content/config/security/fail2ban.md

@@ -78,6 +78,15 @@ This following configuration files inside the `docker-data/dms/config/` volume w
 [github-file-f2bjail]: https://github.com/docker-mailserver/docker-mailserver/blob/master/config-examples/fail2ban-jail.cf
 [github-file-f2bconfig]: https://github.com/docker-mailserver/docker-mailserver/blob/master/config-examples/fail2ban-fail2ban.cf
 
+### SASL
+
+The `postfix` jail comes with `mode=extra` by default, which covers SASL login errors for our default SASL provider. Hence, the `postfix-sasl` jail has been disabled. If you switch to another SASL provider (e.g., SASLauthd), you may want to turn the `postfix-sasl` jail back on:
+
+```ini title="docker-data/dms/config/fail2ban-jail.cf"
+[postfix-sasl]
+enabled = true
+```
+
 ### Viewing All Bans
 
 When just running

target/fail2ban/jail.local

@@ -29,9 +29,6 @@ enabled = true
 # https://github.com/docker-mailserver/docker-mailserver/issues/3256#issuecomment-1511188760
 mode = extra
 
-[postfix-sasl]
-enabled = true
-
 # This jail is used for manual bans.
 # To ban an IP address use: setup.sh fail2ban ban <IP>
 [custom]

test/tests/parallel/set1/spam_virus/fail2ban.bats

@@ -34,7 +34,7 @@ function teardown_file() {
 }
 
 @test "localhost is not banned because ignored" {
-  _run_in_container fail2ban-client status postfix-sasl
+  _run_in_container fail2ban-client status postfix
   assert_success
   refute_output --regexp '.*IP list:.*127\.0\.0\.1.*'
 
@@ -49,7 +49,7 @@ function teardown_file() {
 }
 
 @test "fail2ban-jail.cf overrides" {
-  for FILTER in 'dovecot' 'postfix' 'postfix-sasl'; do
+  for FILTER in 'dovecot' 'postfix'; do
     _run_in_container fail2ban-client get "${FILTER}" bantime
     assert_output 1234
 
@@ -62,7 +62,6 @@ function teardown_file() {
     _run_in_container fail2ban-client -d
     assert_output --partial "['set', 'dovecot', 'addaction', 'nftables-multiport']"
     assert_output --partial "['set', 'postfix', 'addaction', 'nftables-multiport']"
-    assert_output --partial "['set', 'postfix-sasl', 'addaction', 'nftables-multiport']"
   done
 }
 
@@ -87,12 +86,12 @@ function teardown_file() {
 
   # Checking that CONTAINER2_IP is banned in "${CONTAINER1_NAME}"
   CONTAINER2_IP=$(_get_container_ip "${CONTAINER2_NAME}")
-  run _repeat_in_container_until_success_or_timeout 10 "${CONTAINER_NAME}" /bin/bash -c "fail2ban-client status postfix-sasl | grep -F '${CONTAINER2_IP}'"
+  run _repeat_in_container_until_success_or_timeout 10 "${CONTAINER_NAME}" /bin/bash -c "fail2ban-client status postfix | grep -F '${CONTAINER2_IP}'"
   assert_success
   assert_output --partial 'Banned IP list:'
 
   # Checking that CONTAINER2_IP is banned by nftables
-  _run_in_container_bash 'nft list set inet f2b-table addr-set-postfix-sasl'
+  _run_in_container_bash 'nft list set inet f2b-table addr-set-postfix'
   assert_success
   assert_output --partial "elements = { ${CONTAINER2_IP} }"
 }
@@ -100,17 +99,13 @@ function teardown_file() {
 # NOTE: Depends on previous test case, if no IP was banned at this point, it passes regardless..
 @test "unban ip works" {
   CONTAINER2_IP=$(_get_container_ip "${CONTAINER2_NAME}")
-  _run_in_container fail2ban-client set postfix-sasl unbanip "${CONTAINER2_IP}"
+  _run_in_container fail2ban-client set postfix unbanip "${CONTAINER2_IP}"
   assert_success
 
   # Checking that CONTAINER2_IP is unbanned in "${CONTAINER1_NAME}"
-  _run_in_container fail2ban-client status postfix-sasl
+  _run_in_container fail2ban-client status postfix
   assert_success
   refute_output --partial "${CONTAINER2_IP}"
-
-  # Checking that CONTAINER2_IP is unbanned by nftables
-  _run_in_container_bash 'nft list set inet f2b-table addr-set-postfix-sasl'
-  refute_output --partial "${CONTAINER2_IP}"
 }
 
 @test "bans work properly (single IP)" {
@@ -157,7 +152,7 @@ function teardown_file() {
 
 @test "FAIL2BAN_BLOCKTYPE is really set to drop" {
   # ban IPs here manually so we can be sure something is inside the jails
-  for JAIL in dovecot postfix-sasl custom; do
+  for JAIL in dovecot custom; do
     _run_in_container fail2ban-client set "${JAIL}" banip 192.33.44.55
     assert_success
   done
@@ -165,11 +160,10 @@ function teardown_file() {
   _run_in_container nft list table inet f2b-table
   assert_success
   assert_output --partial 'tcp dport { 110, 143, 465, 587, 993, 995, 4190 } ip saddr @addr-set-dovecot drop'
-  assert_output --partial 'tcp dport { 25, 110, 143, 465, 587, 993, 995 } ip saddr @addr-set-postfix-sasl drop'
   assert_output --partial 'tcp dport { 25, 110, 143, 465, 587, 993, 995, 4190 } ip saddr @addr-set-custom drop'
 
   # unban the IPs previously banned to get a clean state again
-  for JAIL in dovecot postfix-sasl custom; do
+  for JAIL in dovecot custom; do
     _run_in_container fail2ban-client set "${JAIL}" unbanip 192.33.44.55
     assert_success
   done