Are you using courierpop3?
The rule that you need does probably look something like this (NOT TESTED!)
enabled = true
port = pop3
filter = pop3d
failregex = pop3d: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath = /var/log/mail.log
maxretry = 5
Basicaly the rule scans your mail.log file for the text "pop3d: LOGIN FAILED", and logs the IP who is causig the LOGIN FAILED.
After a maxretry of 5 times fail2ban will kick in, and block that IP.
Make sure that you restart fail2ban after adding this.
Last edited by edge; 29th September 2009 at 16:25.