Have you tried just using the the filter dovecot.conf come with the fail2ban?

# cat /etc/fail2ban/filter.d/dovecot.conf

failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(?:\s+user=\S*)?\s*$ ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( us$ ^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authen$ ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$ ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,<HOST>,\S*\): invalid credentials\s*$


On 2017-12-16 15:56, voy...@sbt.net.au wrote:
I'm trying to setup and test fail2ban with dovecot

I've installed fail2ban, I've copied config from
https://wiki2.dovecot.org/HowTo/Fail2Ban, and, trying to test it,

attempted multiple mail access with wrong password, but, get this:

# fail2ban-client status dovecot-pop3imap
Status for the jail: dovecot-pop3imap
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/dovecot.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

# grep 'auth fail' /var/log/dovecot.log | grep voytek@k | wc
     19     367    3749


Dec 17 09:55:03 imap-login: Info: Disconnected (auth failed, 2 attempts in
5 secs): user=<voy...@k..au>, method=PLAIN, rip=,
lip=, TLS, session=<bQ6mAX1gHcRur/an>
Dec 17 09:55:12 imap-login: Info: Disconnected (auth failed, 2 attempts in
4 secs): user=<voy...@k..au>, method=PLAIN, rip=,
lip=, TLS, session=<Osk5An1gAKVur/an>
Dec 17 09:55:20 imap-login: Info: Disconnected (auth failed, 2 attempts in
4 secs): user=<voy...@k..au>, method=PLAIN, rip=,
lip=, TLS, session=<xsq/An1gDN1ur/an>
Dec 17 09:55:27 imap-login: Info: Disconnected (auth failed, 2 attempts in
4 secs): user=<voy...@k..au>, method=PLAIN, rip=,
lip=, TLS, session=<RVUkA31gm4xur/an>

# cat dovecot-pop3imap.conf
failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted
login \(auth failed|Aborted login \(tried to use disabled|Disconnected
\(auth failed).*rip=(?P<host>\S*),.*
ignoreregex =

# systemctl status  fail2ban
● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled;
vendor preset: disabled)
   Active: active (running) since Sat 2017-12-16 22:35:14 AEDT; 12h ago
     Docs: man:fail2ban(1)
  Process: 2034 ExecStop=/usr/bin/fail2ban-client stop (code=exited,
Process: 6024 ExecReload=/usr/bin/fail2ban-client reload (code=exited,
Process: 2036 ExecStart=/usr/bin/fail2ban-client -x start (code=exited,
 Main PID: 2039 (fail2ban-server)
   CGroup: /system.slice/fail2ban.service
           └─2039 /usr/bin/python2 -s /usr/bin/fail2ban-server -s
/var/run/fail2ban/fail2ban.sock -p /var/ru...

Dec 16 22:35:14  systemd[1]: Starting Fail2Ban Service...
Dec 16 22:35:14  fail2ban-client[2036]: 2017-12-16 22:35:14,657
fail2ban.server         [2...9.7
Dec 16 22:35:14  fail2ban-client[2036]: 2017-12-16 22:35:14,657
fail2ban.server         [2...ode
Dec 16 22:35:14  systemd[1]: Started Fail2Ban Service.
Dec 17 09:21:51  systemd[1]: Reloaded Fail2Ban Service.
Dec 17 09:22:52  systemd[1]: Reloaded Fail2Ban Service.
Dec 17 09:31:40  systemd[1]: Reloaded Fail2Ban Service.
Hint: Some lines were ellipsized, use -l to show in full.

