From e448b5e53e7741b9d4862bdfea2cb5aed72d7543 Mon Sep 17 00:00:00 2001
From: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
Date: Sun, 3 Aug 2025 10:37:41 +0200
Subject: [PATCH] chore: disable F2B `postfix-sasl` jail (#4535)

Signed-off-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
---
 CHANGELOG.md                                  |  5 +++++
 config-examples/fail2ban-jail.cf              |  3 ---
 docs/content/config/security/fail2ban.md      |  9 ++++++++
 target/fail2ban/jail.local                    |  3 ---
 .../parallel/set1/spam_virus/fail2ban.bats    | 22 +++++++------------
 5 files changed, 22 insertions(+), 20 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0acc374e..220f7d5d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -34,6 +34,11 @@ All notable changes to this project will be documented in this file. The format
   - Refactored `setup config dkim` (`open-dkim`) ([#4375](https://github.com/docker-mailserver/docker-mailserver/pull/4375))
   - `setup email list` and the default `ENABLE_QUOTAS=1` ENV now better communicates when config is incompatible ([#4453](https://github.com/docker-mailserver/docker-mailserver/pull/4453))
 
+### Removed
+
+- **Fail2Ban**
+  - Removed `postfix-sasl` jail by default as it is covered by `postfix[mode=extra]` already ([#4535](https://github.com/docker-mailserver/docker-mailserver/pull/4535))
+
 ## [v15.0.2](https://github.com/docker-mailserver/docker-mailserver/releases/tag/v15.0.2)
 
 ### Fixes
diff --git a/config-examples/fail2ban-jail.cf b/config-examples/fail2ban-jail.cf
index 6866ddf3..41e9fbe1 100644
--- a/config-examples/fail2ban-jail.cf
+++ b/config-examples/fail2ban-jail.cf
@@ -29,9 +29,6 @@ enabled = true
 # https://github.com/docker-mailserver/docker-mailserver/issues/3256#issuecomment-1511188760
 mode = extra
 
-[postfix-sasl]
-enabled = true
-
 # This jail is used for manual bans.
 # To ban an IP address use: setup.sh fail2ban ban <IP>
 [custom]
diff --git a/docs/content/config/security/fail2ban.md b/docs/content/config/security/fail2ban.md
index 8efb2fca..54bde243 100644
--- a/docs/content/config/security/fail2ban.md
+++ b/docs/content/config/security/fail2ban.md
@@ -78,6 +78,15 @@ This following configuration files inside the `docker-data/dms/config/` volume w
 [github-file-f2bjail]: https://github.com/docker-mailserver/docker-mailserver/blob/master/config-examples/fail2ban-jail.cf
 [github-file-f2bconfig]: https://github.com/docker-mailserver/docker-mailserver/blob/master/config-examples/fail2ban-fail2ban.cf
 
+### SASL
+
+The `postfix` jail comes with `mode=extra` by default, which covers SASL login errors for our default SASL provider. Hence, the `postfix-sasl` jail has been disabled. If you switch to another SASL provider (e.g., SASLauthd), you may want to turn the `postfix-sasl` jail back on:
+
+```ini title="docker-data/dms/config/fail2ban-jail.cf"
+[postfix-sasl]
+enabled = true
+```
+
 ### Viewing All Bans
 
 When just running
diff --git a/target/fail2ban/jail.local b/target/fail2ban/jail.local
index 6866ddf3..41e9fbe1 100644
--- a/target/fail2ban/jail.local
+++ b/target/fail2ban/jail.local
@@ -29,9 +29,6 @@ enabled = true
 # https://github.com/docker-mailserver/docker-mailserver/issues/3256#issuecomment-1511188760
 mode = extra
 
-[postfix-sasl]
-enabled = true
-
 # This jail is used for manual bans.
 # To ban an IP address use: setup.sh fail2ban ban <IP>
 [custom]
diff --git a/test/tests/parallel/set1/spam_virus/fail2ban.bats b/test/tests/parallel/set1/spam_virus/fail2ban.bats
index f451befd..5088fa1c 100644
--- a/test/tests/parallel/set1/spam_virus/fail2ban.bats
+++ b/test/tests/parallel/set1/spam_virus/fail2ban.bats
@@ -34,7 +34,7 @@ function teardown_file() {
 }
 
 @test "localhost is not banned because ignored" {
-  _run_in_container fail2ban-client status postfix-sasl
+  _run_in_container fail2ban-client status postfix
   assert_success
   refute_output --regexp '.*IP list:.*127\.0\.0\.1.*'
 
@@ -49,7 +49,7 @@ function teardown_file() {
 }
 
 @test "fail2ban-jail.cf overrides" {
-  for FILTER in 'dovecot' 'postfix' 'postfix-sasl'; do
+  for FILTER in 'dovecot' 'postfix'; do
     _run_in_container fail2ban-client get "${FILTER}" bantime
     assert_output 1234
 
@@ -62,7 +62,6 @@ function teardown_file() {
     _run_in_container fail2ban-client -d
     assert_output --partial "['set', 'dovecot', 'addaction', 'nftables-multiport']"
     assert_output --partial "['set', 'postfix', 'addaction', 'nftables-multiport']"
-    assert_output --partial "['set', 'postfix-sasl', 'addaction', 'nftables-multiport']"
   done
 }
 
@@ -87,12 +86,12 @@ function teardown_file() {
 
   # Checking that CONTAINER2_IP is banned in "${CONTAINER1_NAME}"
   CONTAINER2_IP=$(_get_container_ip "${CONTAINER2_NAME}")
-  run _repeat_in_container_until_success_or_timeout 10 "${CONTAINER_NAME}" /bin/bash -c "fail2ban-client status postfix-sasl | grep -F '${CONTAINER2_IP}'"
+  run _repeat_in_container_until_success_or_timeout 10 "${CONTAINER_NAME}" /bin/bash -c "fail2ban-client status postfix | grep -F '${CONTAINER2_IP}'"
   assert_success
   assert_output --partial 'Banned IP list:'
 
   # Checking that CONTAINER2_IP is banned by nftables
-  _run_in_container_bash 'nft list set inet f2b-table addr-set-postfix-sasl'
+  _run_in_container_bash 'nft list set inet f2b-table addr-set-postfix'
   assert_success
   assert_output --partial "elements = { ${CONTAINER2_IP} }"
 }
@@ -100,17 +99,13 @@ function teardown_file() {
 # NOTE: Depends on previous test case, if no IP was banned at this point, it passes regardless..
 @test "unban ip works" {
   CONTAINER2_IP=$(_get_container_ip "${CONTAINER2_NAME}")
-  _run_in_container fail2ban-client set postfix-sasl unbanip "${CONTAINER2_IP}"
+  _run_in_container fail2ban-client set postfix unbanip "${CONTAINER2_IP}"
   assert_success
 
   # Checking that CONTAINER2_IP is unbanned in "${CONTAINER1_NAME}"
-  _run_in_container fail2ban-client status postfix-sasl
+  _run_in_container fail2ban-client status postfix
   assert_success
   refute_output --partial "${CONTAINER2_IP}"
-
-  # Checking that CONTAINER2_IP is unbanned by nftables
-  _run_in_container_bash 'nft list set inet f2b-table addr-set-postfix-sasl'
-  refute_output --partial "${CONTAINER2_IP}"
 }
 
 @test "bans work properly (single IP)" {
@@ -157,7 +152,7 @@ function teardown_file() {
 
 @test "FAIL2BAN_BLOCKTYPE is really set to drop" {
   # ban IPs here manually so we can be sure something is inside the jails
-  for JAIL in dovecot postfix-sasl custom; do
+  for JAIL in dovecot custom; do
     _run_in_container fail2ban-client set "${JAIL}" banip 192.33.44.55
     assert_success
   done
@@ -165,11 +160,10 @@ function teardown_file() {
   _run_in_container nft list table inet f2b-table
   assert_success
   assert_output --partial 'tcp dport { 110, 143, 465, 587, 993, 995, 4190 } ip saddr @addr-set-dovecot drop'
-  assert_output --partial 'tcp dport { 25, 110, 143, 465, 587, 993, 995 } ip saddr @addr-set-postfix-sasl drop'
   assert_output --partial 'tcp dport { 25, 110, 143, 465, 587, 993, 995, 4190 } ip saddr @addr-set-custom drop'
 
   # unban the IPs previously banned to get a clean state again
-  for JAIL in dovecot postfix-sasl custom; do
+  for JAIL in dovecot custom; do
     _run_in_container fail2ban-client set "${JAIL}" unbanip 192.33.44.55
     assert_success
   done