This morning I noticed a SASL attack in my mail logs, and fail2ban wasn’t stopping. I tested the regex and it was working fine, but… no ban. So here’s what worked for me: changing the backend for fail2ban to polling from auto. Problem solved.
in /etc/fail2ban/jail.local replace
backend = auto
backend = polling