nano /etc/csf/csf.conf

Find CUSTOM1_LOG and edit the content to:

CUSTOM1_LOG = "/var/log/maillog"

 

Add the regex to catch the failed attempts against SASL

nano /usr/local/csf/bin/regex.custom.pm

Add the below regex between "Do not edit before this point" and "Do not edit beyond this point":

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
    return ("Failed SASL login from",$1,"mysaslmatch","3","25","3600");
}

 

Restart CSF:

csf -r