Added line port=2206 to /etc/fail2ban/jail.d/defaults-debian.conf

Created /etc/fail2ban/jail.d/mail.conf with stanzas for dovecot and postfix
Following example here: 
https://importgeek.wordpress.com/2017/01/15/fail2ban-prevent-postfix-brute-force/
Note that "sasl" isn't needed since postfix hands authentication off to 
dovecot

Since postfix uses dovecot for authentication, added the smtp ports to 
the port= line for the [dovecot] stanza

/etc/fail2ban/jail.conf sets the default for bantime, findtime, and 
maxretry.

Log file is /var/log/fail2ban.log

systemctl restart fail2ban

Everything looks good, so systemctl enable fail2ban