Fabian,

This connection drop is normal behavior of a unixoide system when
there are more request to a service then it can handle.

I have seen such connection floods also, mainly SMTP and in
recent years also on POP3. Limiting the max connections does help
prevent the system from overloading.

Right, but all those connections are from spammers. I am the only client of my domain with 3 email ids at present.

As far as the log files you showed, the connection where all from
the same IP address in a very short time frame, e.g. in the same
minute.

> ( In the meantime, I have created a new jail called "fail2ban-dovecot" ,
> which will find the connections from dovecot.log and ban the IPs. )

Should probably not be needed, if the limit option in Dovecot is
doing what I think it should do.

I thought of enabling the client_limit. But the problem is that I have 3 email IDs at present in this domain. I am accessing them simultaneously using Thunderbird. So If I put client_limit = 3, then it will be a problem if I create a new email ID in the future and access all the emails simultaneously (4 connections). Also I think client_limit doesn't solve the problem if the spammer tries with a delay of say 5 minutes.

That is the reason I thought of using fail2ban, so that I can ban the spammer for 1 week :-)

Thanks.