For exim4: Fail2ban should ban all IPs that are successfully found in a DNSRBL:
H=.* [(?P<host>\S*)] .* rejected RCPT .* is listed at .*
To ban the host after the first seen listing:
[exim4] # ban ips listed in a dns realtime-blacklist enabled = true port = smtp,ssmtp filter = exim4 logpath = /var/log/exim4/mainlog # ban immediately maxretry = 0 # ban almost 6h bantime = 20000
Please review this. I think this works so far.
How can I just ban only the SMTP ports and not all ports?