mail server in jail, host pf, and fail2ban

Chris Gordon freebsd at
Sat Jun 22 19:07:47 UTC 2019

Assuming your jail host can see the files inside the jail -- specifically the jail's /var/log/maillog -- you could run fail2ban on the jail host where it has access to pf and simply point it to the jail's /var/log/maillog.

For example, assume your mail jail is named mailserver. (NOTE:  I'm using iocage to manage my jails so some of the path will be part of iocage's standards.)  On your jail host, in /usr/local/etc/fail2ban/jail.local, you would use a stanza such as:

enabled = yes
port    = smtp,456,submission
logpath  = /iocage/jails/mailserver/root/var/log/maillog
backend  = %(postfix_backend)s


* By "jail host" I mean the machine running the jails.

> On Jun 22, 2019, at 11:50 AM, David Mehler <dave.mehler at> wrote:
> Hello,
> I've got a pf/fail2ban/jail/postscreen question. I'm running a mail
> system in a FreeBSD jail, and on the host system i'm using the pf
> firewall. What I'm getting are connections to my jail's postscreen
> port 25, what i'd like to get done is to try to get those ips scanned
> for on the host and banned by fail2ban and pf.
> Suggestions welcome.
> Thanks.
> Dave.
> _______________________________________________
> freebsd-questions at mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at"

More information about the freebsd-questions mailing list