How would it know the mail server has bumped an incorrect login?
By parsing your mail server's log for strings indicating so? And comparing that info to its own internal queue's records?
With the caveat that I literally have just recently started looking at them it appears they use dedicated filters to break packets into categories and then operate on the individual packets in queues.. before letting them go to their final destinations. Suricata uses a lanugage "Rust" which seems particularly well suited for doing this.
Similar to a firewall but with finer granularity and more verbosity in logging. The IDS systems (Surcata, Snort, and it seems many others most of which support rules written in one of the two firmats) download large text files that contain literally thousands of rules every hour or day or week or so and update their behaviors. They can go much further than the log-centric checking IP addresses and domain names resolve to something that makes sense for what they are doing or check them against a "bad people" list and then adding failed attempts to a list the firewall then blocks for a period of time. (thats what fail2ban does).Smaller switch/ruters even the fancy ones like the aforementioned ones seem to not be up for being used with or as an IDS. They just dont have the horsepower.
They may also (like fail2ban) keep records of failed logins in a fast database and make it extremely difficult to sit at a server trying different logins or paswords.. All the time compiling statistics if anybody keeps trying and failing again and again. The more they try the more the ban thats used for them is lengthened or expanded to a larger scope.. say banning entire hosting companies or IP address blocks if banning similar hosts makes sense. .. etc.