Every exposed SMTP and IMAP port is a target. Credential stuffing bots hammer your Postfix SASL and Dovecot logins around the clock. Defensia detects 11 email attack patterns and blocks them automatically.
These are real log entries from a production mail server. Every line is a brute force attempt trying to guess credentials.
Mar 26 03:14:22 mail postfix/smtpd[18432]: warning: unknown[185.234.72.19]: SASL LOGIN authentication failed: UGFzc3dvcmQ=
Mar 26 03:14:23 mail postfix/smtpd[18432]: warning: unknown[185.234.72.19]: SASL LOGIN authentication failed: UGFzc3dvcmQ=
Mar 26 03:14:25 mail postfix/smtpd[18432]: warning: unknown[185.234.72.19]: SASL PLAIN authentication failed
Mar 26 03:14:31 mail dovecot: imap-login: Disconnected (auth failed, 3 attempts): user=<admin@example.com>, method=PLAIN, rip=91.242.37.105
Mar 26 03:14:33 mail dovecot: pop3-login: Aborted login (auth failed, 5 attempts): user=<info@example.com>, rip=91.242.37.105
Mar 26 03:14:40 mail postfix/submission/smtpd[18501]: warning: unknown[45.155.205.8]: SASL LOGIN authentication failed: authentication failure
Mar 26 03:14:42 mail roundcube: IMAP Error: Login failed for admin@example.com from 193.32.162.71. AUTHENTICATE PLAIN: Authentication failed.
7 attacks in 20 seconds. This goes on 24/7.
Defensia monitors your mail.log and detects every type of email brute force attack. No regex files. No manual configuration.
| Service | Log Pattern | What It Means |
|---|---|---|
| POSTFIX | SASL LOGIN authentication failed | SMTP login brute force via LOGIN mechanism |
| POSTFIX | SASL PLAIN authentication failed | SMTP login brute force via PLAIN mechanism |
| POSTFIX | SASL authentication failed: authentication failure | Generic SASL failure (PAM/LDAP backend) |
| POSTFIX | too many errors after AUTH | Rapid-fire auth attempts (bot behavior) |
| POSTFIX | lost connection after AUTH from unknown | Attacker disconnects after failed auth probe |
| DOVECOT | imap-login: Disconnected (auth failed, N attempts) | IMAP credential stuffing |
| DOVECOT | pop3-login: Aborted login (auth failed, N attempts) | POP3 credential stuffing |
| DOVECOT | imap-login: Disconnected (no auth attempts) | Port scanner probing IMAP |
| DOVECOT | auth: passwd-file: unknown user | Username enumeration attempt |
| ROUNDCUBE | IMAP Error: Login failed for ... AUTHENTICATE PLAIN | Webmail brute force via Roundcube |
| ROUNDCUBE | Failed login for ... from ... | Roundcube login failure with IP |
Defensia auto-detects your mail.log location and starts monitoring immediately. No jail configs, no filter files, no restarts.
One command. Works on Ubuntu, Debian, CentOS, RHEL, Rocky, Alma, and Amazon Linux.
Defensia scans standard log paths (/var/log/mail.log, /var/log/maillog, /var/log/mail.err) and starts monitoring immediately.
[ok] Detected /var/log/mail.log (Postfix + Dovecot)
[ok] Detected /var/log/roundcube/errors.log (Roundcube)
[ok] 11 email attack patterns loaded
When an IP fails authentication multiple times, Defensia bans it via iptables/ipset. Every event is reported to your dashboard with full context.
[ok] Banned 185.234.72.19 — 6x SASL LOGIN failures in 120s
[ok] Banned 91.242.37.105 — 8x Dovecot auth failures in 60s
[ok] Events reported to dashboard
fail2ban can protect Postfix — if you write the regex filters, configure the jails, and maintain them when log formats change.
$ apt install fail2ban
$ cp jail.conf jail.local
$ nano /etc/fail2ban/jail.local
# Enable [postfix] jail
# Enable [postfix-sasl] jail
# Enable [dovecot] jail
# Write custom filter for Roundcube...
# Tune maxretry, findtime, bantime...
# Test regex with fail2ban-regex...
$ systemctl restart fail2ban
3 jails. 3 filter files. Manual tuning required.
$ curl -fsSL https://defensia.cloud/install.sh | sudo bash
[ok] Detected /var/log/mail.log
[ok] Postfix SASL protection active (5 patterns)
[ok] Dovecot protection active (4 patterns)
[ok] Roundcube protection active (2 patterns)
[ok] Dashboard connected
0 config files. 11 patterns. Automatic.
| Feature | Defensia | fail2ban |
|---|---|---|
| Postfix SASL detection | 5 patterns | 1 regex filter |
| Dovecot detection | 4 patterns | 1 regex filter |
| Roundcube detection | 2 patterns | Manual filter required |
| Auto-detects mail.log | ✓ | ✗ |
| Configuration required | None | 3+ jail configs |
| Real-time dashboard | ✓ | ✗ |
| Multi-server management | ✓ | ✗ |
| SSH + web protection included | ✓ | Separate jails |
| CVE vulnerability scanning | ✓ | ✗ |
| Slack / email / Discord alerts | ✓ | ✗ |
| ipset support (65K+ bans) | ✓ | Partial |
| Whitelist with detection | ✓ | ✗ |
| Open source agent | ✓ | ✓ |
Defensia doesn't stop at mail.log. The same agent protects SSH, web servers, and scans for vulnerabilities.
15 detection patterns for auth failures, pre-auth scanning, protocol mismatches, and PAM errors.
Detects SQL injection, XSS, RCE, path traversal, and 15+ OWASP attack types from nginx/Apache logs.
70+ bot fingerprints. Set per-bot policies: allow, log, or block.
Scans installed packages against NVD, EPSS, and CISA KEV databases.
CPU, memory, disk, network — reported every 60 seconds to your dashboard.
Block traffic from 200+ countries at the firewall level. One click from the dashboard.
No. Defensia auto-detects your mail.log and applies all 11 detection patterns automatically. There are no jail configs, no filter files, and no regex to write or maintain.
Set the WEB_LOG_PATH environment variable on the agent to point to your custom log path. The agent will monitor it alongside any auto-detected paths.
Defensia uses configurable thresholds. A single failed login won't trigger a ban. Only repeated failures from the same IP within a short window will result in a temporary ban. You can also whitelist trusted IPs.
Yes. Both write iptables rules independently. However, most users remove fail2ban after seeing Defensia's broader detection and dashboard — it becomes redundant.
Defensia focuses on authentication attacks. Open relay protection is a Postfix configuration concern (restrict_relay_recipient). Defensia will detect and block IPs that attempt SASL brute force, which is the most common attack vector on mail servers.
Ubuntu 20+, Debian 11+, CentOS 7+, RHEL 8+, Rocky Linux, AlmaLinux, Fedora, and Amazon Linux 2023. The agent requires systemd, iptables, and root access.
One command. 11 detection patterns. Postfix, Dovecot, and Roundcube protected automatically.
Get Started FreeNo credit card required. Free plan includes 1 server.