diff --git a/conf/fail2ban/postfix-sasl.conf b/conf/fail2ban/postfix-sasl.conf
new file mode 100644
index 000000000..a9f470782
--- /dev/null
+++ b/conf/fail2ban/postfix-sasl.conf
@@ -0,0 +1,6 @@
+# Fail2Ban filter for postfix authentication failures
+[INCLUDES]
+before = common.conf
+[Definition]
+_daemon = postfix/smtpd
+failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
diff --git a/conf/fail2ban/yunohost-jails.conf b/conf/fail2ban/yunohost-jails.conf
index 1cf1a1966..911f9cd85 100644
--- a/conf/fail2ban/yunohost-jails.conf
+++ b/conf/fail2ban/yunohost-jails.conf
@@ -8,6 +8,13 @@ enabled = true
 [postfix]
 enabled = true
 
+[sasl]
+enabled  = true
+port     = smtp
+filter   = postfix-sasl
+logpath  = /var/log/mail.log
+maxretry = 5
+
 [dovecot]
 enabled = true
 
diff --git a/hooks/conf_regen/52-fail2ban b/hooks/conf_regen/52-fail2ban
index 8ef20f979..d463892c7 100755
--- a/hooks/conf_regen/52-fail2ban
+++ b/hooks/conf_regen/52-fail2ban
@@ -14,6 +14,7 @@ do_pre_regen() {
     mkdir -p "${fail2ban_dir}/jail.d"
 
     cp yunohost.conf "${fail2ban_dir}/filter.d/yunohost.conf"
+    cp postfix-sasl.conf "${fail2ban_dir}/filter.d/postfix-sasl.conf"
     cp jail.conf "${fail2ban_dir}/jail.conf"
 
     export ssh_port="$(yunohost settings get 'security.ssh.ssh_port')"