Skip to content

Add Guezli/mailcow collection#1822

Open
Guezli wants to merge 1 commit into
crowdsecurity:masterfrom
Guezli:add-Guezli-mailcow-collection
Open

Add Guezli/mailcow collection#1822
Guezli wants to merge 1 commit into
crowdsecurity:masterfrom
Guezli:add-Guezli-mailcow-collection

Conversation

@Guezli

@Guezli Guezli commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Description

One-command install of a layered Crowdsec stack for Mailcow
running on the host (Crowdsec on the Mailcow host, not inside the Mailcow Docker
network). Bundles the official crowdsecurity/postfix + crowdsecurity/dovecot
collections together with my Mailcow-specific scenarios (slow SASL bruteforce,
honeypot usernames, internal-F2B propagation) and the proven third-party
IMAP/POP slow-pattern scenarios from melite and hitech95.

cscli collections install Guezli/mailcow brings up the whole Mailcow defense
in one shot.

Items referenced

Item Author Purpose
crowdsecurity/postfix crowdsecurity Official postfix collection (logs + spam/helo/relay/non-smtp scenarios)
crowdsecurity/dovecot crowdsecurity Official dovecot collection (logs + spam scenario)
Guezli/mailcow-f2b-bans (parser) Guezli Parses Mailcow internal netfilter-mailcow ban lines
Guezli/postfix-sasl-bf Guezli Slow / distributed SASL bruteforce (cap2 / leak 2h)
Guezli/postfix-honeypot-users Guezli Instant-ban on SASL against role/admin usernames
Guezli/mailcow-f2b-feed Guezli Propagates Mailcow F2B bans into the local LAPI
melite/dovecot-slow-bf melite Slow IMAP/POP bruteforce
melite/dovecot-time-based-bf melite Time-distributed IMAP/POP bruteforce
hitech95/mail-generic-bf hitech95 Unified mail-auth bruteforce (SMTP+IMAP+POP)

All referenced items already exist in the hub master index. hublint check
is clean (0 warnings, 0 errors).

Checklist

  • Collection YAML with collections, parsers, scenarios referencing existing hub items
  • Hub-rendered .md with installation command, item-by-item rationale, and acquisition examples for the three Mailcow containers (postfix / dovecot / netfilter-mailcow)
  • hublint check clean
  • All cross-author references precedented in the hub (e.g. ZoeyVid/npmplus references openappsec/openappsec; many third-party collections include crowdsecurity/* collections)

AI assistance

  • AI was used to generate any/all content of this PR

Claude Code assembled the collection YAML and rendered the documentation
based on the live Mailcow setup I've been running for several months
(scenarios are deployed and active on a production VPS). Item selection
and acquisition recommendations are my own.

@Guezli
Add Guezli/mailcow collection
a88dc22 
One-command install of a layered Crowdsec stack for Mailcow running on
the host. Bundles the official postfix + dovecot collections together
with my Mailcow-specific scenarios (slow SASL bf, honeypot usernames,
internal-F2B feed) and proven third-party IMAP/POP slow-pattern
scenarios from melite + hitech95.

Items pulled in:

- crowdsecurity/postfix          (collection)
- crowdsecurity/dovecot          (collection)
- Guezli/mailcow-f2b-bans        (parser)
- Guezli/postfix-sasl-bf         (scenario)
- Guezli/postfix-honeypot-users  (scenario)
- Guezli/mailcow-f2b-feed        (scenario)
- melite/dovecot-slow-bf         (scenario)
- melite/dovecot-time-based-bf   (scenario)
- hitech95/mail-generic-bf       (scenario)

All referenced items already in the hub index. hublint check clean.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Guezli