Analysis of my mail server logs over the last few months shows that over 90% of SMTP Auth and dictionary attacks are coming from IP Addresses listed on Spamhaus and Spamcop DNS blackhole lists.
I initially wrote a Fail2ban Jail which did a DNS lookup of the incoming SMTP IP addresses at zen.spamhaus.org and bl.spamcop.net which added firewall rules to the mail server to drop any further packets reaching the mail server from listed addresses.
This proved to be very effective and stopped SMTP Auth attacks and dictionary attacks from reaching the server.
With this success I looked at using DNSBL lookups on the IPFire firewall and have written this add-on
https://people.ipfire.org/~helix/auto-dnsbl/
For more information check out the README at
https://people.ipfire.org/~helix/auto-dnsbl/README
Comments appreciated.
Rob