Ask yourself where are the login attempts coming from and what program are they trying to connect to?
dovecot is the imap and pop server process that manages mailboxes for external users. It also provides user authentication for smtp connections.
So have a look at your /var/log/messages and search for one of those IP addresses. What you will find is a series of attempts to use smtp authentication. For example, in my logs I can see the following:
Aug 16 00:17:53 efa4 auth: pam_unix(dovecot:auth): check pass; user unknown
Aug 16 00:17:53 efa4 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=ian rhost=22.214.171.124
Aug 16 00:17:50 efa4 postfix/smtpd: connect from unknown[126.96.36.199]
Aug 16 00:17:51 efa4 postfix/smtpd: Anonymous TLS connection established from unknown[188.8.131.52]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 16 00:17:57 efa4 postfix/smtpd: warning: unknown[184.108.40.206]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
which seems pretty clear to me that someone is either trying to guess accounts/passwords, or use my smtp server to send spam. Either way, that's unacceptable.
If I want to stop this, then I cannot block smtp connections as that would be rather counter productive, so the best thing to do is to look for these repeated entries (notice that I am getting the connection attempts from the same network you are getting connection attempts from?) and then firewall them individually.
How do we do that? Fail2Ban!
I've already configured Fail2Ban to watch for and block anyone making multiple failed authentication attempts from the same IP, so they get a few free guesses before I firewall those assholes.
2022-08-16 00:17:57,428 fail2ban.filter : INFO [postfix-sasl] Found 220.127.116.11 - 2022-08-16 00:17:57
2022-08-16 00:17:57,582 fail2ban.actions : NOTICE [postfix-sasl] Ban 18.104.22.168
Fail2ban then adds that asshole to the firewall
iptables --list -n
0114 Chain f2b-postfix-sasl (1 references)
0115 target prot opt source destination
1512 REJECT all -- 22.214.171.124 0.0.0.0/0 reject-with icmp-port-unreachable
And that is how you deal with this problem. The solution is not perfect, but it is a good hardening step.
(my local efa firewall has about 1500 blocked hosts at the moment)