Observing the fail2ban log file shows that IPs are already banned but still appearing in the list. Closer inspection of the log file shows that service firewalld start must be used to solve the problem. Here is the needle in the haystack:
2021-08-09 08:46:43,593 fail2ban.utils [859656]: ERROR 7fa08c73da50 -- exec: ipset create f2b-postfix-sasl2 hash:ip timeout 600
firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports smtp -m set --match-set f2b-postfix-sasl2 src -j REJECT --reject-with icmp-port-unreachable
2021-08-09 08:46:43,594 fail2ban.utils [859656]: ERROR 7fa08c73da50 -- stderr: 'ipset v7.5: Set cannot be created: set with the same name already exists'
2021-08-09 08:46:43,594 fail2ban.utils [859656]: ERROR 7fa08c73da50 -- stderr: 'FirewallD is not running'
2021-08-09 08:46:43,594 fail2ban.utils [859656]: ERROR 7fa08c73da50 -- killed with signal 124 (return code: 252)
2021-08-09 08:46:43,594 fail2ban.actions [859656]: ERROR Failed to execute ban jail 'postfix-sasl2' action 'firewallcmd-ipset' info 'ActionInfo({'ip': '45.141.157.185', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7fa08dc33ca0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7fa08dc323a0>})': Error starting action Jail('postfix-sasl2')/firewallcmd-ipset: 'Script error'