With the help of squirrel logger I now have Fail2Ban banning IPs from attempted logins of my webmail interface.  Configuring squirrel logger was a breeze.  I simple send it to syslog, where it is picked up by my mail.info log.  I created my own squirrelmail.conf for fail2ban which is below.

# Fail2Ban configuration file
#
[Definition]

# Option: failregex
failregex =  0: Failed webmail login: by.*\(.*\) at <HOST> on.*$

ignoreregex =