Glenn English wrote:

...

Maybe someone is brute forcing your server's Postfix authenticated SMTP service since Postfix can be configured to use Dovecot's SASL authentication framework.

and for the suggestion -- I do have Postfix using Dovecot-Auth checking for SASL.

I think I'm going to re-install and run Tripwire...

Tripwire? If the purpose of your query is to automate blocking of brute forcers, this software is not what you want (which detects tampering of critical system files).

I suggest trying to find where Postfix failed login reports go, then use your fail2ban or what-have-you to detect and block hosts that repeatedly fail authentication.

(First Google hit I did on this subject)
http://scottlinux.com/2011/05/26/prevent-postfix-brute-force/

The log entries might look like

{timestamp} {servername} postfix/smtpd[{pid}]: lost connection after AUTH
	from {remote-hostname}[{remote-ip}]

Joseph Tam jtam.home@gmail.com