Lastly I did a huge update on fail2ban to ban attacker on NS7, I don’t know, I’m not sure if fail2ban does its job well on ns6 for the email stack.
Could you please monitor some specific logs
in /var/log/imap for example
Apr 27 18:57:48 mail dovecot: pop3-login: Disconnected (tried to use disallowed plaintext auth): user=<>, rip=22.214.171.124, lip=207......, session=<+f+EZjBO4wB54i7w> Apr 27 21:59:30 mail dovecot: pop3-login: Aborted login (tried to use disallowed plaintext auth): user=<>, rip=126.96.36.199, lip=207......, session=<s9JN8DJONwBzf1Ii>
in /var/log/secure for example
Apr 24 19:35:50 mail auth: pam_sss(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=reg...@fara.... rhost=188.8.131.52 user=regg...@far....
in /var/log/maillog for example
May 1 21:05:17 mail postfix/smtpd: connect from unknown[184.108.40.206] May 1 21:05:18 mail postfix/smtpd: lost connection after AUTH from unknown[220.127.116.11]
Anyways you should look after all odd and repetitive lines
you can see if the fail2ban works by the command ‘fail2ban-listban’
of course a jail set to zero banned…it is not a good sign. After each service restart the statistics are set to zero.