fail2ban: Use more targeted regexp to catch errors

The current fail2ban regexp catches all SMTP connection errors.

This works fine, but includes connection errors, that can be caused by
transient external causes, and accidentally delay email delivery.

This patch changes the regexp to be more targeted towards specific SMTP
errors that are likely to be caused by deliberate actions.

The expression was cross-checked with a few month of errors to confirm
it should not have false positives, and that it correctly left
connection errors alone.

Thanks to pepperbob@github for reporting this in
https://github.com/albertito/chasquid/issues/77.

etc/fail2ban/filter.d/chasquid.conf

@@ -3,8 +3,23 @@
 before = common.conf
 
 [Definition]
-# Identify addresses that triggered an SMTP connection error.
+# Identify addresses that triggered an SMTP error.
-failregex = SMTP.Conn <ADDR>:\d+: error:
+# Specifically, filter for errors that are likely to be caused by deliberate
+# actions.
+#  - AUTH failed (e.g. auth over plaintext, or bad password)
+#  - MAIL failed (e.g. SPF check failed)
+#  - RCPT failed (e.g. relay not allowed)
+#  - DATA failed (e.g. malformed transaction)
+#  - Unknown command (e.g. cross-protocol shenanigans)
+#  - too many errors, breaking connection
+#  - http command, closing connection
+#
+# This list excludes connection issues (e.g. TCP or TLS), security level
+# checks, or other unusual errors that aren't typically problematic.
+failregex = SMTP.Conn <ADDR>:\d+: error:.*((AUTH|MAIL|RCPT|DATA) failed|Unknown command|too many errors|http command)
+
+# To catch _all_ connection errors, you can use this instead:
+#     failregex = SMTP.Conn <ADDR>:\d+: error:
 
 [Init]
 journalmatch = _SYSTEMD_UNIT=chasquid.service