@codewiz Same here. After I found out that many of the IP in the postfix log also show up in the nginx log, I decided to use the "sledgehammer method":

grep ': connect from unknown' /var/log/mail | cut -d '[' -f3 | sed 's/]$//' | sort -u

Everything found in the postfix log this way ends up on my perimeter firewall's blocklist for at least 30 days.

The script for this runs every 2 hours on my mail server. Since I've been doing this, the number of port scans, web server "pentests" etc. has decreased significantly.

@jwildeboer