Added line port=2206 to /etc/fail2ban/jail.d/defaults-debian.conf Created /etc/fail2ban/jail.d/mail.conf with stanzas for dovecot and postfix Following example here: https://importgeek.wordpress.com/2017/01/15/fail2ban-prevent-postfix-brute-force/ Note that "sasl" isn't needed since postfix hands authentication off to dovecot Since postfix uses dovecot for authentication, added the smtp ports to the port= line for the [dovecot] stanza /etc/fail2ban/jail.conf sets the default for bantime, findtime, and maxretry. Log file is /var/log/fail2ban.log systemctl restart fail2ban Everything looks good, so systemctl enable fail2ban