My fail2ban-setup was missing a filter for a certain type of attack which has a different “_daemon”-string
[postfix-sasl2] enabled = true banaction = iptables-allports protocol = all port = anyport filter = postfix-sasl2 logpath = /var/log/mail.log maxretry = 3
# Fail2Ban filter for postfix authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtps/smtpd
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+ /]*={0,2})?\s*$
# Author: Yaroslav Halchenko
ignoreregex =
