I've followed one of the pages on line specifically for installing fail2ban on Centos 7 and all looks fine.
I've added a fail regex to /etc/fail2ban/filter.d/exim.conf as suggested on another page:
[<HOST>]: 535 Incorrect authentication data
which appears to be successfully matchnig lines in /var/log/exim/mail.log such as
2019-04-19 13:06:10 dovecot_plain authenticator failed for ([185.222.209.71]) [185.222.209.71]: 535 Incorrect authentication data
/var/log/fail2ban.log, and the generarted emails all say that the regex is working and the IP addresses are getting banned.
2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO [dovecot] Found 45.227.253.99 2019-04-19 13:06:32,607 fail2ban.actions [21954]: NOTICE [dovecot] Ban 45.227.253.99 2019-04-19 13:06:32,954 fail2ban.filter [21954]: INFO [dovecot] Found 45.227.253.99 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO [dovecot] Found 185.222.209.71 2019-04-19 13:07:16,973 fail2ban.actions [21954]: NOTICE [dovecot] Unban 185.211.245.198 2019-04-19 13:07:42,108 fail2ban.actions [21954]: NOTICE [dovecot] Unban 185.234.217.221 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO [dovecot] Found 141.98.80.32 2019-04-19 13:08:11,299 fail2ban.filter [21954]: INFO [dovecot] Found 185.234.217.162 2019-04-19 13:08:12,249 fail2ban.actions [21954]: NOTICE [dovecot] Ban 185.234.217.162 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO [dovecot] Found 141.98.80.32 2019-04-19 13:08:22,092 fail2ban.filter [21954]: INFO [dovecot] Found 185.234.217.221 2019-04-19 13:09:18,178 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198 2019-04-19 13:09:30,752 fail2ban.actions [21954]: NOTICE [dovecot] Ban 185.211.245.198 2019-04-19 13:10:48,248 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198
However, once an IP address is banned, it continues to appear in /var/log/exim/main.log which would imply that the ban action is not working.
(Also, I don't understand why it's matching against dovecont ewhen the regex is in exim.conf)
I've found lots of pages relating to regex errors which this obviously isn't but I can't seem to find pages about why the ban doesn't work. Does anyone have any ideas?