{...}: {
  services.fail2ban = {
    enable = true;
    maxretry = 2; # ban after 2 failures
    daemonSettings = {
      Definition = {
        logtarget = "SYSLOG";
        socket = "/run/fail2ban/fail2ban.sock";
        pidfile = "/run/fail2ban/fail2ban.pid";
        dbfile = "/var/lib/fail2ban/db.sqlite3";
      };
    };
    bantime-increment = {
      enable = true;
      rndtime = "8m";
      overalljails = true;
      multipliers = "2 4 16 128 256";
      maxtime = "72h";
    };
    jails = {
      dovecot = ''
        # block IPs which failed to log-in
        # aggressive mode add blocking for aborted connections
        enabled = true
        filter = dovecot[mode=aggressive]
        maxretry = 2
      '';
      postfix = ''
        enabled = true
        filter = postfix[mode=aggressive]
        findtime = 600
        maxretry = 3
      '';
    };
  };
}