I run a personal email server. I can't emphasize enough how geofencing has reduced the useless hacking on my email server. I only leave port 25 open to the world. I use port 587.
Unfortunately that's not an option for commercial mailservers. You have to be open to communicate with the world. Geofencing might be inaccurate. Often this data is extracted from ip-net registrations - the country where the company resides that registered that net might not be where the servers are located. There are services like maxmind that are more accurate but are not free.
Firewalls use memory but tend to be very light on the CPU other than when you first start up the firewall. I assume they take the deny list and create a table in RAM to efficiently block IPs. I have found that
This depends on how your firewall works. A standard linux firewall processes iptables rules one after another. With a lot of rules and high traffic this can cause very high cpu usage. In case you're using ipsets (like a hashmap) that is not the case. There's also a difference if you block single ips or whole subnets.
dynamic IP blocking programs such as sshguard or fail2ban are a CPU burden since that table needs to be refreshed as new IPs are added or removed so I have stopped using them. Not that the programs themselves are CPU intensive, but they cause the firewall to be CPU intensive. I am considering using sshguard again but with a very high threshold to add an IP to the deny list.
It's not that cpu intensive when using ipsets. On the other hand fail2ban itself uses quite some cpu and memory (sqlite databases can get large). I haven't been using fail2ban because of that, so I don't know if the situation has improved.
Regarding attempts to add 2FA by using RoundCube or similar web based email, I think those programs just increase the attack surface. When I used a hosting service I was hacked by an unpatched exploit in RoundCube.
Programs like fail2ban do not increase the attack surface under normal circumstances. They just scan logs and add firewall rules, which does not cost very much when using ipsets.
I'm very interested which roundcube bug that was, using roundcube myself. Can you have a look at the cve list, please:
https://www.cvedetails.com/vulnerability-list/vendor_id-8905/Roundcube.html
Best regards Gerald