From brokenpoet.org wiki

The following rules can be added for BFD protection in courier, exim and cpanel. Simply create a file named either courier, exim or cpanel in /usr/local/bfd/rules/ and put the contents from below in this file

courier

# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
# TRIG="10"

# file must exist for rule to be active
REQ="/usr/lib/courier-imap/libexec/couriertcpd"

if [ -f "$REQ" ]; then
 LP="/var/log/maillog"
 TLOG_TF="courier"

 ## courier imap|pop3
 ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | sed -e 's/::ffff://' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | tr '=' ' ' | sed -n -e '/LOGIN FAILED/s/.*user \([^ ]*\)\(.*\) \([^ ]*\).*/\3:\1/p' | tr -d '[],'`
fi

cpanel

# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
# TRIG="10"

# file must exist for rule to be active
REQ="/usr/local/cpanel/logs/login_log"

if [ -f "$REQ" ]; then
 LP="/usr/local/cpanel/logs/login_log"
 TLOG_TF="cpanel"

 ## whm, cpanel, webmaild
 ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | sed -e 's/::ffff://' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | sed -n -e '/FAILED LOGIN/s/\([^ ]*\) \(.*\)- \([^ ]*\).*/\1:\3/p'`
fi

exim

# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
TRIG="50"

# file must exist for rule to be active
REQ="/usr/sbin/exim"

if [ -f "$REQ" ]; then
 LP="/var/log/exim_mainlog"
 TLOG_TF="exim"

 ## EXIM dictionary attacks
 ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -iwE "no such address here|No such person at this address" | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | tr -d '<>:' | sed -n -e '/rejected RCPT/s/.*\[\(.*\)] F=\(.*\) rejected RCPT \([^ ]*\).*/\1:\3/p'`
fi