drop ssmtp support and switch to sidecar container with msmtpd

Dockerfile

@@ -25,7 +25,6 @@ RUN --mount=from=fail2ban-src,source=/src/fail2ban,target=/tmp/fail2ban,rw \
     python3 \
     py3-dnspython \
     py3-inotify \
-    ssmtp \
     tzdata \
     wget \
     whois \

README.md

@@ -35,6 +35,7 @@ ___
   * [Use fail2ban-client](#use-fail2ban-client)
   * [Global jail configuration](#global-jail-configuration)
   * [Custom jails, actions and filters](#custom-jails-actions-and-filters)
+  * [Sending email using a sidecar container](#sending-email-using-a-sidecar-container)
 * [Contributing](#contributing)
 * [License](#license)
 
@@ -81,17 +82,6 @@ Image: crazymax/fail2ban:latest
 * `F2B_LOG_LEVEL`: Log level output (default `INFO`)
 * `F2B_DB_PURGE_AGE`: Age at which bans should be purged from the database (default `1d`)
 * `IPTABLES_MODE`: Choose between iptables `nft` or `legacy` mode. (default `auto`)
-* `SSMTP_HOST`: SMTP server host
-* `SSMTP_PORT`: SMTP server port (default `25`)
-* `SSMTP_HOSTNAME`: Full hostname (default `$(hostname -f)`)
-* `SSMTP_USER`: SMTP username
-* `SSMTP_PASSWORD`: SMTP password
-* `SSMTP_TLS`: Use TLS to talk to the SMTP server (default `NO`)
-* `SSMTP_STARTTLS`: Specifies whether ssmtp does a EHLO/STARTTLS before starting SSL negotiation (default `NO`)
-
-> [!NOTE] 
-> `SSMTP_PASSWORD_FILE` can be used to fill in the value from a file, especially
-> for Docker's secrets feature.
 
 ## Volumes
 
@@ -180,34 +170,27 @@ through the container. Here is an example if you want to ban an IP manually:
 
 ```console
 $ docker exec -t <CONTAINER> fail2ban-client set <JAIL> banip <IP>
-``` 
+```
 
 ### Global jail configuration
 
 You can provide customizations in `/data/jail.d/*.local` files.
 
-For example to change the default bantime for all jails, send an e-mail with
-whois report and relevant log lines to the destemail:
+For example, to change the default bantime for all jails:
 
 ```text
 [DEFAULT]
 bantime = 1h
-destemail = root@localhost
-sender = root@$(hostname -f)
-action = %(action_mwl)s
 ```
 
-> [!WARNING]
-> If you want email to be sent after a ban, you have to configure SSMTP env vars
-
-FYI, here is the order *jail* configuration would be loaded:
-
-```text
-jail.conf
-jail.d/*.conf (in alphabetical order)
-jail.local
-jail.d/*.local (in alphabetical order)
-```
+> [!NOTE]
+> Loading order for jail configuration:
+> ```text
+> jail.conf
+> jail.d/*.conf (in alphabetical order)
+> jail.local
+> jail.d/*.local (in alphabetical order)
+> ```
 
 A sample configuration file is [available on the official repository](https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf).
 
@@ -220,6 +203,12 @@ exists, it will be overriden.
 > [!WARNING]
 > Container has to be restarted to propagate changes
 
+### Sending email using a sidecar container
+
+If you want to send emails using a sidecar container, see the example in
+[examples/smtp](examples/smtp). It uses the [smtp.py action](https://github.com/fail2ban/fail2ban/blob/1.1.0/config/action.d/smtp.py)
+and [msmtpd SMTP relay](https://github.com/crazy-max/docker-msmtpd) image.
+
 ## Contributing
 
 Want to contribute? Awesome! The most basic way to show your support is to star

entrypoint.sh

@@ -7,11 +7,6 @@ F2B_LOG_LEVEL=${F2B_LOG_LEVEL:-INFO}
 F2B_DB_PURGE_AGE=${F2B_DB_PURGE_AGE:-1d}
 IPTABLES_MODE=${IPTABLES_MODE:-auto}
 
-SSMTP_PORT=${SSMTP_PORT:-25}
-SSMTP_HOSTNAME=${SSMTP_HOSTNAME:-$(hostname -f)}
-SSMTP_TLS=${SSMTP_TLS:-NO}
-SSMTP_STARTTLS=${SSMTP_STARTTLS:-NO}
-
 # From https://github.com/docker-library/mariadb/blob/master/docker-entrypoint.sh#L21-L41
 # usage: file_env VAR [DEFAULT]
 #    ie: file_env 'XYZ_DB_PASSWORD' 'example'
@@ -40,31 +35,6 @@ echo "Setting timezone to ${TZ}..."
 ln -snf /usr/share/zoneinfo/${TZ} /etc/localtime
 echo ${TZ} > /etc/timezone
 
-# SSMTP
-file_env 'SSMTP_PASSWORD'
-echo "Setting SSMTP configuration..."
-if [ -z "$SSMTP_HOST" ] ; then
-  echo "WARNING: SSMTP_HOST must be defined if you want fail2ban to send emails"
-else
-  cat > /etc/ssmtp/ssmtp.conf <<EOL
-mailhub=${SSMTP_HOST}:${SSMTP_PORT}
-hostname=${SSMTP_HOSTNAME}
-FromLineOverride=YES
-UseTLS=${SSMTP_TLS}
-UseSTARTTLS=${SSMTP_STARTTLS}
-EOL
-  # Authentication to SMTP server is optional.
-  if [ -n "$SSMTP_USER" ] ; then
-    cat >> /etc/ssmtp/ssmtp.conf <<EOL
-AuthUser=${SSMTP_USER}
-AuthPass=${SSMTP_PASSWORD}
-EOL
-  fi
-fi
-unset SSMTP_HOST
-unset SSMTP_USER
-unset SSMTP_PASSWORD
-
 # Init
 echo "Initializing files and folders..."
 mkdir -p /data/db /data/action.d /data/filter.d /data/jail.d

examples/compose/fail2ban.env

@@ -3,10 +3,3 @@ TZ=Europe/Paris
 F2B_LOG_TARGET=STDOUT
 F2B_LOG_LEVEL=INFO
 F2B_DB_PURGE_AGE=1d
-
-SSMTP_HOST=smtp.example.com
-SSMTP_PORT=587
-SSMTP_HOSTNAME=example.com
-SSMTP_USER=smtp@example.com
-SSMTP_PASSWORD=
-SSMTP_TLS=YES

examples/smtp/compose.yml

@@ -0,0 +1,29 @@
+name: fail2ban
+
+services:
+  msmtpd:
+    image: crazymax/msmtpd:latest
+    container_name: fail2ban_msmtpd
+    env_file:
+      - "./msmtpd.env"
+    ports:
+      - "127.0.0.1:2500:2500"
+    environment:
+      - "TZ"
+    restart: always
+
+  fail2ban:
+    image: crazymax/fail2ban:latest
+    container_name: fail2ban
+    depends_on:
+      - msmtpd
+    network_mode: "host"
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+    volumes:
+      - "./data:/data"
+      - "/var/log:/var/log:ro"
+    env_file:
+      - "./fail2ban.env"
+    restart: always

examples/smtp/data/jail.d/00-jail.local

@@ -0,0 +1,2 @@
+[DEFAULT]
+action = smtp.py[host=localhost:2500, sendername=Fail2Ban, sender=foo@gmail.com, dest=foo@gmail.com]

examples/smtp/fail2ban.env

@@ -0,0 +1,5 @@
+TZ=Europe/Paris
+
+F2B_LOG_TARGET=STDOUT
+F2B_LOG_LEVEL=INFO
+F2B_DB_PURGE_AGE=1d

examples/smtp/msmtpd.env

@@ -0,0 +1,10 @@
+# https://github.com/crazy-max/docker-msmtpd
+SMTP_HOST=smtp.gmail.com
+SMTP_PORT=587
+SMTP_TLS=on
+SMTP_STARTTLS=on
+SMTP_TLS_CHECKCERT=on
+SMTP_AUTH=on
+SMTP_USER=foo
+SMTP_PASSWORD=bar
+SMTP_FROM=foo@gmail.com