DMS-Symbiote

[manfromdownunder]

Hi,

I've been using DMS for many years and really love it. I appreciate all of the work that goes into it. It certainly beats the ol' days of running and maintaining an exchange server on a VMWare Guest VM in my garage and has certainly made in more than OK for anyone to run a mail server with minimal issue. More recently I put focus on reducing mail server abuse as I could see in my logs that my DMS was being brute forced constantly. Reading the logs every day really opened my eyes and I learned a lot about the ocean of bots and scripts that run and scan constantly looking for ways to exploit.

At the time of starting this project I wasn't aware of anything quite like it that was a decent balance between homelab/selfhosted and enterprise grade security. I wasn't even using RSPAMD when I first started, but quickly became a fan (After many tweaks to the config). I spent some time with AI and wrote this script/app over a few weeks that has reduced the abuse to my DMS substantially and perhaps there are others that may not only benefit from it, but would also like to provide feedback or contribute.

It runs from a docker container as a companion to DMS monitoring, reading and acting on DMS logs and implementing some pretty cool firewalling with ipset and fail2ban. With such a wonderful symbiotic relationship I had to call it DMS-Symbiote.

This script is a robust, production-ready email abuse monitoring and mitigation system for Dockerized mail servers. It features real-time multi-log monitoring (with rotation/archive support), automatic event scoring, IP banning/unbanning via fail2ban, ipset, and iptables, as well as dynamic whitelist and exclusion management. The system integrates with AbuseIPDB for blocklist syncing and reporting, sends email alerts for suspicious logins and security events, and profiles user login history for anomaly detection. Notably, it supports machine learning (ML)-driven threat detection by automatically banning and reporting IPs flagged as anomalous by external ML tools. All actions and state are persistently tracked in an SQLite database, and the architecture is thread-safe and highly resilient.

Key features:

• Real-time, multi-file log monitoring with robust rotation handling
• Automated IP scoring, banning/unbanning, and sync with fail2ban, ipset, and iptables
• Dynamic whitelist/exclusion and legit user tracking
• AbuseIPDB blocklist integration and reporting
• Email notifications for security events and unusual user logins
• ML anomaly detection: bans IPs flagged by machine learning
• Thread-safe, resilient, and fully automated design

I have a lot of ideas/features that I am working through such as a web interface, centralised real-time pattern recognition updates and real-time dynamic pattern updates using AI.

I haven't pushed the code to git yet so there is no repo to share with you at this stage. This post is really just to see if anyone has a need for this like I did or are there already foss tools that can do this?

If anyone is interested I will clean it up and make it available as well as pushing out the docker image.

[dcwtx]

I’m interested. I had to create a side image to run fail2ban because I needed to use iptables instead of nftables. This seems like a turbocharged version of what I have done. Ideally if you could share the compose file I can make the iptables adjustments.