On 18 Oct 2016, at 20:45, Sebastian Nielsen wrote:
Looks rather like a scanning attack (finding vulnerabilities). I think they are trying to do a SSL type of attack like HEARTBLEED but your server isn't vulnerable. Looks also like they are sending HTTP requests (encapsulated in SSL/TLS) to a mail server, which seems to be a extremely stupid bot scanner.
Dovecot supports standard imaps (port 993) and pop3s (port 995) so that isn't HTTP and isn't at all strange. If I understand those errors correctly (big "if") they are typical of a client making a connection to an SSL port and sending something other than a SSL/TLS client hello.
