Lightweight Dovecot authentication failure monitor and brute-force blocker for FreeBSD.

doveguard tails Dovecot logs, detects repeated authentication failures from the same IP within a sliding window, and bans offenders using PF or IPFW. It is FreeBSD-only and aims to be a small, native alternative to fail2ban for Dovecot.

• Real-time log monitoring with rotation handling
• Sliding window failure tracking
• Configurable regex detection patterns
• CIDR whitelist protection
• Automatic ban expiry and persistence
• IPv4/IPv6 support
• Dry-run mode for safe testing
• Memory bounds and clock sanity checks

• FreeBSD 13.0+
• Rust 1.70+ (for building from source)
• PF or IPFW enabled with a persistent table
• Read access to the mail log

cargo build --release
sudo install -m 755 target/release/doveguard /usr/local/bin/

Copy doveguard.conf.sample to /usr/local/etc/doveguard.conf and adjust as needed.

Minimal example:

log_path = "/var/log/maillog"
firewall_backend = "pf"
firewall_table = "doveguard"
threshold = 3
window_seconds = 600
ban_duration_seconds = 86400

Supported backends: pf (default) and ipfw. Configure in /usr/local/etc/doveguard.conf:

firewall_backend = "pf"
firewall_table = "doveguard"

For IPFW:

firewall_backend = "ipfw"
firewall_table = "1"

Add to /etc/pf.conf:

table <doveguard> persist counters
block drop in quick from <doveguard> to any port { 110, 143, 993, 995, 4190 }

Reload PF:

sudo pfctl -f /etc/pf.conf

sudo /usr/local/bin/doveguard

For dry-run testing, set dry_run = true in /usr/local/etc/doveguard.conf.

BSD 2-Clause. See LICENSE.md.