Originally Posted by compugraphix
if i was you i would install fail2ban and turn it on for courier-pop3(-ssl), courier-imap(-ssl) and smtp configuration and try to move your clients over to the ssl variant of your mail setup cause this is much more secure.
Could be somebody hacked the password of a mail user via bruteforce or some other way
You can check if fail2fan is working with:
fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/sasl.conf
(example in ubuntu for the sasl filter)
You can check pop3, imap and so on as well. The report will give you something like this(bottom):
Success, the total number of match is 43