> I've added a fail regex to /etc/fail2ban/filter.d/exim.conf as suggested on > another page: The standard exim.conf already has a 535 filter. Was that not working for you? > > \[<HOST>\]: 535 Incorrect authentication data > > which appears to be successfully matchnig lines in /var/log/exim/mail.log such > as > > 2019-04-19 13:06:10 dovecot_plain authenticator failed for ([185.222.209.71]) > [185.222.209.71]: 535 Incorrect authentication data Just to check - you are authenticating against dovecot for SMTP within exim (and it's not that dovecot authentication is getting mixed up with the exim logs)? > > /var/log/fail2ban.log, and the generarted emails all say that the regex is > working and the IP addresses are getting banned. > > 2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO [dovecot] > Found 45.227.253.99 > 2019-04-19 13:06:32,607 fail2ban.actions [21954]: NOTICE [dovecot] Ban > 45.227.253.99 > 2019-04-19 13:06:32,954 fail2ban.filter [21954]: INFO [dovecot] > Found 45.227.253.99 > 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO [dovecot] > Found 185.222.209.71 > 2019-04-19 13:07:16,973 fail2ban.actions [21954]: NOTICE [dovecot] > Unban 185.211.245.198 > 2019-04-19 13:07:42,108 fail2ban.actions [21954]: NOTICE [dovecot] > Unban 185.234.217.221 > 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO [dovecot] > Found 141.98.80.32 > 2019-04-19 13:08:11,299 fail2ban.filter [21954]: INFO [dovecot] > Found 185.234.217.162 > 2019-04-19 13:08:12,249 fail2ban.actions [21954]: NOTICE [dovecot] Ban > 185.234.217.162 > 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO [dovecot] > Found 141.98.80.32 > 2019-04-19 13:08:22,092 fail2ban.filter [21954]: INFO [dovecot] > Found 185.234.217.221 > 2019-04-19 13:09:18,178 fail2ban.filter [21954]: INFO [dovecot] > Found 185.211.245.198 > 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO [dovecot] > Found 185.211.245.198 > 2019-04-19 13:09:30,752 fail2ban.actions [21954]: NOTICE [dovecot] Ban > 185.211.245.198 > 2019-04-19 13:10:48,248 fail2ban.filter [21954]: INFO [dovecot] > Found 185.211.245.198 > It would be much, much easier to read if you didn't wrap the log lines - I've unwrapped them for you: 2019-04-19 13:06:32,461 fail2ban.filter [21954]: INFO [dovecot] Found 45.227.253.99 2019-04-19 13:06:32,607 fail2ban.actions [21954]: NOTICE [dovecot] Ban 45.227.253.99 2019-04-19 13:06:32,954 fail2ban.filter [21954]: INFO [dovecot] Found 45.227.253.99 2019-04-19 13:06:36,664 fail2ban.filter [21954]: INFO [dovecot] Found 185.222.209.71 2019-04-19 13:07:16,973 fail2ban.actions [21954]: NOTICE [dovecot] Unban 185.211.245.198 2019-04-19 13:07:42,108 fail2ban.actions [21954]: NOTICE [dovecot] Unban 185.234.217.221 2019-04-19 13:08:06,475 fail2ban.filter [21954]: INFO [dovecot] Found 141.98.80.32 2019-04-19 13:08:11,299 fail2ban.filter [21954]: INFO [dovecot] Found 185.234.217.162 2019-04-19 13:08:12,249 fail2ban.actions [21954]: NOTICE [dovecot] Ban 185.234.217.162 2019-04-19 13:08:16,803 fail2ban.filter [21954]: INFO [dovecot] Found 141.98.80.32 2019-04-19 13:08:22,092 fail2ban.filter [21954]: INFO [dovecot] Found 185.234.217.221 2019-04-19 13:09:18,178 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198 2019-04-19 13:09:30,522 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198 2019-04-19 13:09:30,752 fail2ban.actions [21954]: NOTICE [dovecot] Ban 185.211.245.198 2019-04-19 13:10:48,248 fail2ban.filter [21954]: INFO [dovecot] Found 185.211.245.198 > > > However, once an IP address is banned, it continues to appear > in /var/log/exim/main.log which would imply that the ban action is not > working. Only for one more attempt - I presume your ban action is to modify the firewall, but the firewall doesn't stop established connections, so as long as the remote host has an open TCP connection it can continue to attempt to login. If your authenticator drops the connection after 3 attempts and Fail2Ban blocks after 2 failed attempts you will see what you've got. > > (Also, I don't understand why it's matching against dovecont ewhen the regex > is in exim.conf) Because the log line says dovecot - the actual name of the .conf file is irrelevant and nowhere in the filter config files does it mention [exim] explicitly (or any other section). The section is determined from the log line using the filters. P.