Closing smtp ports question

I'm fed up of checking my logs daily to find brute force login attempts on emails, some times as many as 50 over night.
So in CSF I closed ports 110,143,220,465,587,993,995 to all but my home country code.

Either this is working to a point, or the hackers got bored and moved on.
However, if it is working, then I'm still seeing a very small number, but I've no ideas why.

Code:

2017-02-28 02:41:29 SMTP connection from [xxx.xx.xxx.xxx]:50841 (TCP/IP connection count = 1)
2017-02-28 02:41:30 no host name found for IP address xxx.xx.xxx.xxx
2017-02-28 02:41:50 no host name found for IP address xxx.xx.xxx.xxx
2017-02-28 02:41:52 no host name found for IP address xxx.xx.xxx.xxx
2017-02-28 02:41:58 dovecot_plain authenticator failed for ([127.0.0.1]) [xxx.xx.xxx.xxx]:50841: 535 Incorrect authentication data (set_id=user)
2017-02-28 02:42:00 SMTP connection from ([127.0.0.1]) [xxx.xx.xxx.xxx]:50841 lost
2017-02-28 02:42:01 SMTP connection from [xxx.xx.xxx.xxx]:54329 (TCP/IP connection count = 1)
2017-02-28 02:42:01 no host name found for IP address xxx.xx.xxx.xxx
2017-02-28 02:45:06 SMTP command timeout on connection from [xxx.xx.xxx.xxx]:54329

How would I find which port they might be using, so I can close this one too ??

 

I don't see anything in cpanel or apache logs.

Here's another, the IP being in Indonesia, so should be blocked.

Code:

2017-03-06 01:26:38 SMTP connection from [xxx.xxx.xxx.xxx]:37292 (TCP/IP connection count = 1)
2017-03-06 01:27:01 dovecot_plain authenticator failed for host112.subnet.xxxx.net.id (svrwebprodi112.zzzzzz.ac.id) [xxx.xxx.xxx.xxx]:37292: 535 Incorrect authentication data (set_id=user@mydomain.co.uk)
2017-03-06 01:27:01 SMTP connection from host112.subnet.xxxx.net.id (abcdef.ghijk.ac.id) [xxx.xxx.xxx.xxx]:37292 lost
2017-03-06 01:27:03 SMTP connection from [xxx.xxx.xxx.xxx]:40553 (TCP/IP connection count = 1)
2017-03-06 01:30:08 SMTP command timeout on connection from host112.subnet.xxxx.net.id [xxx.xxx.xxx.xxx]:40553

 

is it possible that these login requests are coming via port 25

 

But if i close incoming port 25, then no mailserver will be able to establish a connection with me ??

 

CSF is already taking care of this, however, it's annoying as I don't know how I'm still receiving failed smtp authentications when I already closed ports 110,143,220,465,587,993,995.