I take it the "3 emails a day" are being sent by your mail server software to alert you? If it is from random senders I would consider those phishing emails.
Any mail server with ports open to the Internet is going to see a lot of attack attempts. If you have a lockout after 5 incorrect passwords they will likely give up and move on.
Suricata or Snort can try to block those attempts, yes. They can be set up so if an alert is triggered the IP is blocked for the desired amount of time.
Generally for in-office mail servers, we set our clients up with our spam filtering service, and in pfSense only allow connections on port 25 from the filtering service IPs. So the world cannot just connect to the mail server.