Thanks to the Free Thinker and his recent post on postfix
configuration [0]. While I was aware of port 587 and its use, I have
been using the same postfix config for years and have always used
port 25 for SASL authentication from remote email clients without
much thought. I also use fail2ban on the server because of the
non-stop SASL login attempts.

After reading the post in question and realizing I was a dummy, I
switched the authentication to port 587 exclusively and no longer
see any fail2ban blocks for SASL auth. The attacks still come in of
course, but postfix drops the connections to port 25 when it sees
the AUTH command. I'm sure there will be login attempts on port 587
as well, but hopefully not as many.

I did something similar with SSH years ago on my VPS, moving the SSH
daemon to a non-standard listening port and never see outside login
attempts. It's "security by obscurity", sure, but it still helps. I
guess in this case port 587 is just a less-used standard port.

[0]:
gopher://aussies.space:70/0/~freet/phlog/2023-04-14Making_My_Postfix_Config_Racist.txt