> > The event that triggers the ban does complete as normal, which is what I would > expect as the ban is triggered by the log entry which is *after* the failed > attempt. > > However, after the /var/log/fail2ban.log showed the IP as banned, I continue > to see entries in /var/log/exim/main.log What ban action do you use? If it's something like iptables-multiport, then I wonder if the fact that it's detecting the failures as '[dovecot]' means that it's using the dovecot ports, not the exim ports, when applying the iptable rule. When a host has been banned, can you look at the iptables rules to see what is actually being applied. P.