Closing smtp ports question

I'm fed up of checking my logs daily to find brute force login attempts on emails, some times as many as 50 over night.
So in CSF I closed ports 110,143,220,465,587,993,995 to all but my home country code.

Either this is working to a point, or the hackers got bored and moved on.
However, if it is working, then I'm still seeing a very small number, but I've no ideas why.

Code:

2017-02-28 02:41:29 SMTP connection from [xxx.xx.xxx.xxx]:50841 (TCP/IP connection count = 1)
2017-02-28 02:41:30 no host name found for IP address xxx.xx.xxx.xxx
2017-02-28 02:41:50 no host name found for IP address xxx.xx.xxx.xxx
2017-02-28 02:41:52 no host name found for IP address xxx.xx.xxx.xxx
2017-02-28 02:41:58 dovecot_plain authenticator failed for ([127.0.0.1]) [xxx.xx.xxx.xxx]:50841: 535 Incorrect authentication data (set_id=user)
2017-02-28 02:42:00 SMTP connection from ([127.0.0.1]) [xxx.xx.xxx.xxx]:50841 lost
2017-02-28 02:42:01 SMTP connection from [xxx.xx.xxx.xxx]:54329 (TCP/IP connection count = 1)
2017-02-28 02:42:01 no host name found for IP address xxx.xx.xxx.xxx
2017-02-28 02:45:06 SMTP command timeout on connection from [xxx.xx.xxx.xxx]:54329

How would I find which port they might be using, so I can close this one too ??

 

I don't see anything in cpanel or apache logs.

Here's another, the IP being in Indonesia, so should be blocked.

Code:

2017-03-06 01:26:38 SMTP connection from [xxx.xxx.xxx.xxx]:37292 (TCP/IP connection count = 1)
2017-03-06 01:27:01 dovecot_plain authenticator failed for host112.subnet.xxxx.net.id (svrwebprodi112.zzzzzz.ac.id) [xxx.xxx.xxx.xxx]:37292: 535 Incorrect authentication data (set_id=user@mydomain.co.uk)
2017-03-06 01:27:01 SMTP connection from host112.subnet.xxxx.net.id (abcdef.ghijk.ac.id) [xxx.xxx.xxx.xxx]:37292 lost
2017-03-06 01:27:03 SMTP connection from [xxx.xxx.xxx.xxx]:40553 (TCP/IP connection count = 1)
2017-03-06 01:30:08 SMTP command timeout on connection from host112.subnet.xxxx.net.id [xxx.xxx.xxx.xxx]:40553

 

is it possible that these login requests are coming via port 25

 

But if i close incoming port 25, then no mailserver will be able to establish a connection with me ??

 

CSF is already taking care of this, however, it's annoying as I don't know how I'm still receiving failed smtp authentications when I already closed ports 110,143,220,465,587,993,995.

 

This is still onging.


2017-10-09 16:12:16 SMTP connection from [xxx.xxx.xxx.xx]:51334 (TCP/IP connection count = 1)
2017-10-09 16:12:21 dovecot_plain authenticator failed for (127.0.0.1) [xxx.xxx.xxx.xx]:51334: 535 Incorrect authentication data (set_id=admin@domain.com)
2017-10-09 16:12:27 SSL_write: (from (127.0.0.1) [xxx.xxx.xxx.xx]:51334) syscall: Broken pipe
2017-10-09 16:12:27 dovecot_login authenticator failed for (127.0.0.1) [xxx.xxx.xxx.xx]:51334: 535 Incorrect authentication data (set_id=AB\023)
2017-10-09 16:12:27 SMTP connection from (127.0.0.1) [xxx.xxx.xxx.xx]:51334 lost

I found this in the message log for a similar login attempt.

[6883341.422495] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:19:99:78:1e:4f:00:18:74:67:50:00:08:00 SRC=xxx.xxx.xxx.xx DST=xxx.xxx.xxx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=14778 DF PROTO=TCP SPT=42475 DPT=587 WINDOW=5808 RES=0x00 SYN URGP=0

which would indicate port 587, but port 587 is closed in CSF

 

I don't see anything in access.log around this time other than a few localhost (127) entries.