and I notice that dovecot doesn't handle the brute-force attacks too nice. I reduced the limit a bit to some reasonable looking value: login_max_processes_count = 32 to stop them earlier and the number of processes stops at that figure when an attack happens.
Somewhat off original topic. I cannot help but wander what the goal of the brute force attack is. I am guessing they want a working username and password to relay junk email?
I have heard of users having there email address and password stolen by a virus or spyware then used to authenticate and relay thousands of pieces of junk email. We enabled rate-limit on Exim which only allows a given IP to send to X number of message recipients in X amount of time. We also added a plugin to Squirrel Mail to only allow so many recipients per message and only so many messages per day.
Matt