Hi,
I have used fail2ban for a while, to block brute force attacks on ssh, imap(s) or submission(s) ports.
More because I wanted to reduce the noise in the logs rather than a fear of a broken password.

Then, with nftables, I realised you can achieve the same thing, as long as a TCP connection isn't close. This works very
well for SSH, but I then realised it works for a modern IMAP server that supports IDLE, since the connection is kept
open, for instance the excellent Dovecot mail server.

Here an example, of nftable ruleset, for dovecot imap(s):
table inet filter {

    set banned_imap_ipv4 {
        type ipv4_addr
        flags dynamic,timeout
        timeout 1d
    }

    set banned_imap_ipv6 {
        type ipv6_addr
        size 65535
        flags dynamic,timeout
        timeout 1d
    }

    chain input {

        # Limit new imap connections ala fail2ban
        meta nfproto ipv4 tcp dport imaps ct state new,untracked \
        limit rate over 10/minute add @banned_imap_ipv4 { ip saddr }

        meta nfproto ipv6 tcp dport imaps ct state new,untracked \
        limit rate over 10/minute add @banned_imap_ipv6 { ip6 saddr }

        # Reject the traffic explicitly
        ip saddr @banned_imap_ipv4 tcp dport imaps reject with icmp type admin-prohibited
        ip6 saddr @banned_imap_ipv6 tcp dport imaps reject with icmpv6 type admin-prohibited

        tcp dport { imap, imaps } ct state new counter accept \
        comment "Accept imap/imaps connections"

    }

}
Surprisingly, this is working very well with Dovecot, and various modern clients like Evolution or Thunderbird, as well
as K9 on Android.

There is also a way to save the rules before restarting the firewall, which works very well as well:
# nft list set inet filter banned_imap_ipv4
table inet filter {
        set banned_imap_ipv4 {
                type ipv4_addr
                size 65535
                flags dynamic,timeout
                timeout 1d
                elements = { 162.142.125.214 timeout 1d expires 23h44m16s600ms }
        }
}
Now, the question I have is this.

I can limit new TCP connections to a reasonable amount, like 10 per minute, because I know I will not try to send that
amount of emails from a single IP.

However, is there an option, in Postfix, to keep the TCP connection opened for submission(s) protocols (ports 465 or
587)

Thanks for your insights.