virtualmin-config only runs one time, at installation. It can be run later, but it isn’t likely to fix existing configurations, as it assumes a fresh OS.
So, it doesn’t matter what version you have (it is a package that can be queried by your package manager like any other, so it is trivial to find what version you have), it matters what version you had when you installed.
I don’t know how to reliably provide a tool to “fix broken stuff” without also “breaking intentional customizations”, so virtualmin-config doesn’t attempt to do that.
There have also been a variety of bugs in upstream packages in this area (the fail2ban folks didn’t ship functional examples for modern systemd and firewalld systems for quite a while, and the distros didn’t do a great job patching that gap), which updating also probably won’t fix (for roughly the same reason: once a config file has been changed, the package manager can no longer safely replace the config file with a “fixed” one without breaking user changes).
I don’t know what it’ll do, exactly, given a configuration that’s not fresh. I mean, it almost certainly won’t break anything, but it might no do anything useful either.
I have a working config in CentOS 7, Rock Linux 8 & 9 for Postfix but I may include SSH, Proftpd, Apache.
As a matter of fact since Fail2ban can’t be as precise as I’d like, I developed a small python program that downloads some ip databases (containing ips known as a source of malware) then use it with a cron job to block and report a lot of ips. The program can exclude ips that are already connected making it safe to not block good ips like (users connecting with pop3/imap), it can also exclude ips for a country.
I will open source that program this week as soon as it is prepared so anyone can use it, and you may include in virtualmin if you wish (actually I’d love to have it included as brute force attacks have been a weak area for Virtualmin) and as you already saw it is not quite easy to set Fail2ban up. Currently the program reports to blocklist.de and I’m working to add reports to AbuseIPDB.
I use crowdsec and fail2ban in parallel. I think it works fine even with firewalld installed. The bouncer for crowdsec can be for nftables and I think there is no conflict.
since using crowdsec the postfix-sasl jail is mostly silent since crowdsec also bans based on lists