How to Install and Configure Fail2Ban for Zimbra

Posted by

This article was inspired by an article by L. Mark Stone at this link: Zimbra-fail2ban-for-submission-only. I tried the guide and it worked. I added several configurations to my Fail2Ban to block connections on the Zimbra webmail, SMTP and admin ports if failed login for several times. Then, I use iptables on my Fail2Ban.

Below is how to install and configure Fail2Ban for Zimbra. In this guidance, I use CentOS. Please adjust python-pip version if use another OS

1. Install pip

yum install python3-pip

2. Install dependencies required by Fail2Ban

pip3 install pyinotify
pip3 install dnspython

3. Download and extract Fail2Ban

cd /tmp/
wget -c

4. Install Fail2Ban

tar -xvf 0.9.4.tar.gz
cd fail2ban-0.9.4
python3 install

5. Copy Fail2Ban service to systemd

cp files/fail2ban.service /usr/lib/systemd/system/

6. Adjust bin location on Fail2Ban service

vi /usr/lib/systemd/system/fail2ban.service

Adjust the following lines. Change /usr/bin become /usr/local/bin

ExecStart=/usr/local/bin/fail2ban-client -x start
ExecStop=/usr/local/bin/fail2ban-client stop
ExecReload=/usr/local/bin/fail2ban-client reload

Create fail2ban folder

mkdir /var/run/fail2ban
vi /usr/lib/tmpfiles.d/var.conf

Add this line at the bottom

d /var/run/fail2ban 0755 - - -

Reload systemd

systemctl daemon-reload

7. Create zimbra.jail

vi /etc/fail2ban/jail.d/zimbra.local

Fill with the following lines and save

enabled = true
filter = zimbra-submission
logpath = /var/log/zimbra.log
maxretry = 3
findtime = 3600
bantime = 36000
action = iptables-multiport[name=zimbra-submission, port="25,465,587", protocol=tcp]

enabled = true
filter = zimbra-webmail
logpath = /opt/zimbra/log/mailbox.log
maxretry = 3
findtime = 3600
bantime = 36000
action = iptables-multiport[name=zimbra-webmail, port="80,443", protocol=tcp]

enabled = true
filter = zimbra-admin
logpath = /opt/zimbra/log/mailbox.log
maxretry = 3
findtime = 3600
bantime = 36000
action = iptables-multiport[name=zimbra-admin, port="7071", protocol=tcp]

8. Create filters
– Zimbra Admin

curl -k > /etc/fail2ban/filter.d/zimbra-admin.conf

– Zimbra Webmail

curl -k > /etc/fail2ban/filter.d/zimbra-webmail.conf

– Zimbra SMTP/SMTPS/Submission

curl -k > /etc/fail2ban/filter.d/zimbra-submission.conf

9. Ignore localhost and Zimbra IP

Open file /etc/fail2ban/jail.conf. Find line “ignoreip =” and add the IP address that will be ignored from Fail2Ban checking. You can use comma or space to add multiple IP


10. Enable and restart Fail2Ban

systemctl enable fail2ban
systemctl restart fail2ban

Additional Configuration :

– Block type that uses by Fail2Ban is “REJECT –reject-with icmp-port-unreachable”. If you want to use DROP, open file /etc/fail2ban/action.d/iptables-common.conf and change it to blocktype = DROP

11. Test regex

You can test regex with run this command

fail2ban-regex /opt/zimbra/log/mailbox.log /etc/fail2ban/filter.d/zimbra-webmail.conf

Now my Zimbra already use Fail2Ban. If you want to see ip address that blocked by Fail2Ban, run fail2ban-client command

fail2ban-client status

If you want to see zimbra-webmail jail, run command

fail2ban-client status zimbra-webmail
[root@mail ~]# fail2ban-client status zimbra-webmail
Status for the jail: zimbra-webmail
|- Filter
|  |- Currently failed:	1
|  |- Total failed:	11
|  `- File list:	/opt/zimbra/log/mailbox.log
`- Actions
   |- Currently banned:	1
   |- Total banned:	1
   `- Banned IP list:	123.xx.xx.xx

Good luck šŸ™‚


  1. Hi;

    I installed Faail2ban and it worked.
    does not work after restarting the system
    I am getting this error;
    fail2ban.service – Fail2Ban Service
    Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor pre set: disabled)
    Active: failed (Result: start-limit) since Fri 2020-07-10 12:49:55 +03; 1h 30 min ago
    Docs: man: fail2ban (1)
    Process: 1817 ExecStart = / usr / local / bin / fail2ban-client -x start (code = exited, status = 255)

    1. Hi Hakan Gulnar,
      Thank you for your report. It seems the fail2ban folder does not exist on /var/run folder. Please run this command to solve your problem

      mkdir /var/run/fail2ban

      I am also update the guidance on number 6

  2. Hi iman,
    i got this error
    [root@mail fail2ban-0.9.4]# systemctl enable fail2ban
    Created symlink from /etc/systemd/system/ to /usr/lib/systemd/system/fail2ban.service

    [root@mail fail2ban-0.9.4]# systemctl restart fail2ban
    Failed to restart fail2ban.service: Unit not found.

  3. Great work, thank you very much Iman!

    I had to add a third line in /etc/fail2ban/filter.d/zimbra-submission.conf

    failregex = postfix\/submission\/smtpd\[\d+\]: warning: .*\[\]: SASL \w+ authentication failed: authentication failure$
    postfix\/smtps\/smtpd\[\d+\]: warning: .*\[\]: SASL \w+ authentication failed: authentication failure$
    postfix\/smtpd\[\d+\]: warning: .*\[\]: SASL \w+ authentication failed: authentication failure$

    in order to match port 25 only attempts (logged as “postfix/smtpd” on my zimbra.log)

    Again, awesome work!!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.