my idea is to block the IP that makes the unsuccessful login attempts to the smtp service.
On the web I found the following rule, but not if it is what I need.
acl_smtp_auth:
drop message = authentication is allowed only once per message
set acl_m_auth = ${eval10:0$acl_m_auth+1}
condition = ${if >{$acl_m_auth}{2}}
delay = 30s
accept