Normally accounts passwords expire & remain so even after a long time with the same password expiry error log, for ex:

2021-12-09 11:33:55 mail SECURITY:POP3;001071E4;192.168.20.174;49421;OP_FAIL;someID@domain.tld;;Authentication error; password has expired

We have configured fail2ban in which we have ignored these errors so that users IPs do not get locked unnecessarily & they get time to reset their passwords & start reusing their accounts.

In such cases if there are some random brute force login attempts, those get freehand since those IPs do not get blocked. To stop these attempts automatically, the expired passwords needs to become invalid after a certain period. For example, 5 days after expiry. Then the error log will change to:

2021-12-09 11:33:55 +0530 02 mail SECURITY:POP3;001071E4;192.168.20.174;49421;OP_FAIL;someID@domain.tld;;Authentication error; Invalid password

This will then let fail2ban automatically block the login attempts. This will also help secure those accounts which for some reason become dormant & go unnoticed.

Please look into it as it'll help increase security of the accounts.