I installed Crowdsec on my Mailcow server after this blog: https://blog.vacum.se/securing-mailcow-with-crowdsec/ You just have to adjust the names of the Mailcow containers in /etc/crowdsec/acquis.yaml to the current names but then it works perfectly. And it's really impressive what Crowdsec finds. Mailcow's netfilter is nice but it's no comparison to what you can filter with Crowdsec. I highly recommend it. In my opinion, it's a must-have for every Mailcow operator.

Hmm... my main goal of hosting my own mail server was (and still is) to maintain my privacy. Installing crowdsec and therefore exposing my logs to a cloud service is somewhat counterproductive in my opinion...

And what private information goes to Crowdsec? That someone from the USA, China or wherever starts BF attacks, port scans or other scans on your server? What is so worth protecting about that? What is the alternative that you think is better? Example from today morning: [upl-image-preview url=https://community.mailcow.email/assets/files/2024-08-16/1723794539-831500-image.png]

Well, it's basically a log parser which uploads information to the crowdsec cloud service to update the global blacklists. If that's ok for you then go ahead, I'm just not a fan of services which don't work on a local basis only. fail2ban is sufficient for me But I'll have a deeper look into crowdsec, maybe I'm wrong about that :)

Do you also check the Docker logs with Fail2ban? I tried to find information about it but unfortunately didn't find much.

@"Ganzjahresgriller"#p17753 You said this: /etc/crowdsec/acquis.yaml to the current names. I am having trouble knowing how to change this file to make it work. What did you change? Thanks

My one: --- # lines for mailcow source: docker container_name: - mailcowdockerized-nginx-mailcow-1 labels: type: nginx --- source: docker container_name: - mailcowdockerized-dovecot-mailcow-1 - mailcowdockerized-postfix-mailcow-1 labels: type: syslog --- This works for me

@"Ganzjahresgriller"#p24091 I'm getting errors in the log file: [code] time="2025-04-13T10:15:44-04:00" level=fatal msg="crowdsec init: while loading acquisition config: while configuring datasource of type docker from /etc/crowdsec/acquis.yaml (position 0): while parsing DockerAcquisition configuration: yaml: unmarshal errors:\n line 3: cannot unmarshal !!str `mailcow...` into []string\n line 4: field type not found in type dockeracquisition.DockerConfiguration" [/code] acquis.yaml file: [code] source: docker container_name: mailcowdockerized-nginx-mailcow-1 labels: type: nginx --- source: docker container_name: mailcowdockerized-dovecot-mailcow-1 mailcowdockerized-postfix-mailcow-1 labels: type: syslog --- [/code]

Try to remove the blank Line No. 4

@"Ganzjahresgriller"#p24117 After doing that then there is this log error: [code] time="2025-04-14T07:23:17-04:00" level=fatal msg="crowdsec init: while loading acquisition config: while configuring datasource of type docker from /etc/crowdsec/acquis.yaml (position 0): while parsing DockerAcquisition configuration: yaml: unmarshal errors:\n line 3: cannot unmarshal !!str `mailcow...` into []string\n line 4: field type not found in type dockeracquisition.DockerConfiguration" [/code]

Do you have installed the parsers? cscli parsers install crowdsecurity/docker-logs cscli collections install crowdsecurity/nginx cscli collections install crowdsecurity/postfix cscli collections install crowdsecurity/dovecot

Big fat recommendation for Crowdsec

Davide

DocFraggle From what I understand, the logs can remain entirely within my network and be analyzed by a local process.

disgustipated

Crowdsec looks interesting, but do many of the mailcow users have a proper firewall in front of your server? I have pfsense and after some config with snort and pfblockerng, the random script kiddie hacks from known IP addresses on the spam lists that are handled by pfblockerng which are trying to knock on my door have nearly completely disappeared.

Ganzjahresgriller

@maybl8 Yes i have this message too. But you can see whats going on at the command promt: cscli decision list

Steve_FR

I just install crowdsec /mailcow on debian 12
At first glance, everything seemed to be working.
I see alerts, my bouncer is ticked etc etc.
I test my config :
I banned the IP address of a VPN I use and tried connecting to my MailCow, and strangely, the connection went through without a hitch.
Solution :
If you’re using Debian and have Debian’s cs-firewall-bouncer, don’t forget to check out:
/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
and uncomment

DOCKER-USER
in the iptables_chains section

Source : https://docs.crowdsec.net/u/bouncers/firewall/#iptables_chains
note : If you are using a dockerized application and allow remote connections to the exposed port, you need to add the DOCKER-USER chain to the list of chains.

« Previous Page