Thank you, this fail2ban is exactly what I needed. It works flawlessly. I also put a rule for roundcube log, and created a patch for roundcube to show IP for authentication failures, so I can get that too.

ZhangHuangbin, you should consider adding this to iRedOS.

Of course. This is how I did it:

1. Get the EPEL package (epel-release-5-3.noarch.rpm) and install it for quick access to EPEL repo.

2. Install gamin-python, with dependencies (gamin itself, etc.).

3. Install shorewall from EPEL (better support for iptables then iptables command line itself).

4. Configure shorewall (enabled: yes, accept from outside only ssh/pop/smtp/imap, check the files).

5. Install fail2ban from EPEL.

6. Configure fail2ban to listen to 4 sources in 3 log files (one of which is Roundcube, but you need to patch it to work).

I will attach the config files in the zip.

What's in the zip:

/shorewall - should go in /etc/shorewall; mostly as in docs, but I added zone "loop" for loopback, ACCEPT ALL;
Allow only what's needed for incoming (LDAP is commented out cause I don't use it), everything else DROP
For outgoing, accept all.

/fail2ban - should go in /etc/fail2ban, in corresponding dirs
For the filter for postfix (from /var/log/maillog), I modifies the syntax to only ban in case of 5xx codes, *NOT* 4xx, otherwise I will accidentally ban everyone because of greylisting and other temporary errors
For SASL I modified the syntax, the original one didn't work with iRedOS.
The syntax for SSHD is the same, but I include it because I modified the Jail.
The syntax for Roundcube is made by me, but caution: it won't work without this patch to roundcube 0.3-stable.

Have fun.

Got it. I will try to make it work for me first, and then try to integrate it as an optional components in iRedMail and iRedOS. Just be patient.

And if you are familar with Bash shell script, you can write script directly, so that we can have it in iRedMail/iRedOS quickly.