Fail2Ban is installed automatically and bans IP addresses for 3 hours after 3 failed attempts in 10 minutes by default.
If you want to change this, you can easily edit our github example file:
You can do the same with the values from
dbpurgeage. In that case you need to edit:
The configuration files need to be located at the root of the
/tmp/docker-mailserver/ volume bind (usually
This following configuration files from
/tmp/docker-mailserver/ will be copied during container startup.
Example configuration volume bind:
volumes: - ./docker-data/dms/config/:/tmp/docker-mailserver/
docker-mailserver must be launched with the
NET_ADMIN capability in order to be able to install the nftables rules that actually ban IP addresses.
Thus either include
--cap-add=NET_ADMIN in the
docker run command, or the equivalent in
cap_add: - NET_ADMIN
RootlessKit is the fakeroot implementation for supporting rootless mode in Docker and Podman. By default RootlessKit uses the
builtin port forwarding driver, which does not propagate source IP addresses.
It is necessary for
fail2ban to have access to the real source IP addresses in order to correctly identify clients. This is achieved by changing the port forwarding driver to
slirp4netns, which is slower than
builtin but does preserve the real source IPs.
For rootless mode in Docker, create
~/.config/systemd/user/docker.service.d/override.conf with the following content:
And then restart the daemon:
$ systemctl --user daemon-reload $ systemctl --user restart docker
This changes the port driver for all rootless containers managed by Docker.
Per container configuration is not supported, if you need that consider Podman instead.
Rootless Podman requires adding the value
slirp4netns:port_handler=slirp4netns to the
--network CLI option, or
network_mode setting in your
You must also add the ENV
NETWORK_INTERFACE=tap0, because Podman uses a hard-coded interface name for
services: mailserver: network_mode: "slirp4netns:port_handler=slirp4netns" environment: - ENABLE_FAIL2BAN=1 - NETWORK_INTERFACE=tap0 ...
slirp4netns is not compatible with user-defined networks.
You can also manage and list the banned IPs with the
192.168.1.15 is our banned IP.
./setup.sh fail2ban unban 192.168.1.15