> I've installed fail2ban, it seems to be working as it identified my failed
> test logins, BUT, my question is:
> what can I do when I see same invalid name trying to login to dovecot,
> different IP each time, how can I say block each IP as used by this name ?
If each IP is only used once in a long while, what would be the point?
In general, distributed attacks are very hard to stop if you have a
default accept stance. I've observed that most of the attacks to my site
are from the enormous Chinese stated owned public network superblocks.
I finally got sick of them so I now spiral these IMAP/POP connections
into the Scharwzschild radius of my firewall.
It's a prophylactic measure and not a reactive system like fail2ban, and
may not work for you if you got road warriors that frequent that part
of the world. However, it did get rid of a metric ton of BFD connections.