You may want to review your /var/log/mail.log file to see if someone is perhaps repeatedly trying to log into Postfix but failing. If that’s the case, you would see the ip address in that file.
If it’s a legitimate user, you could help them correct it. And if it’s not, you could ban that IP address.
you are in the right way !
I have many :
warning: SASL authentication failure: Password verification failed
May 12 08:18:46 Servername postfix/smtpd[18718]: warning: unknown[154.121.251.42] SASL PLAIN authentication failed: authentication failure
May 12 08:18:49 Servername postfix/smtpd[18718]: warning: unknown[154.121.251.42] SASL LOGIN authentication failed: authentication failure
I have already a jail in fail2ban which was a good job !
$iptables -L fail2ban-postfix-sasl | wc -l
302