As I understand it, fail2ban scans the qpsmtpd log for failures, and searches for lines like this
@40000000531680d015cb71e4 3903 Authentication failed for webmail^@^@^@^@^@^@^@^@^@^@^@^@^@ -
But, unfortunately, the line doesn't show any IP adress, so fail2ban doesn't know which IP address to ban.
To blocks attacks like this, qpsmtpd must be changed in order to log the IP address in question. This is the usual behavior for qpsmtpd, I don't know why the addresses aren't logged in these attacks.
Jesper, Denmark