Nick Howitt wrote:

So it uses the name imapd for port 993 but cyrus-master for the IMAP and POPS processes. Strange programming! IMAP is listening on localhost only. I've no idea why that would be but let's assume it is correct.

As you are not listening externally on POP/IMAP, I'd assume you logwatch report is grouping POP and POPS together and reporting them as POP. Ditto IMAP and IMAPS, but only you can crosscheck that. A quick grep of failures in the maillog for one day may prove that.

Hi again.
Sorry I've had no time to look at this for a week.
The number of failures is still in the hundreds.
But the grep of failures in maillog shows only 21 for the day on imaps. All failures are captured in fail2ban and the IP addresses are banned.
I'm scratching my head and can't figure out why logwatch is still showing 717 failures over 5 users on the same day.
If the failures aren't in maillog, then where could logwatch be picking up the failures?