The relaying only started and stopped when Dovecot was turned on or off.
Isn't it true that Dovecot performs an authentication function for inbound connect requests, the successful of which then may use the submission mechanism from what Postfix takes to be an internal connection to send emails? Is this mistaken?
Postfix offers many ways to Authenticate submissions, one of which is to co-opt the Dovecot authentication agent, but generally, only "submissions" are authenticated. Deliveries from the big bad internet are not authenticated. An architectural decision that was made many years ago.
If the relaying stops when the Dovecot authentication agent is shut down, perhaps you have a compromised machine "inside" your network that is sending spam through your Mail Submission Agent (probably also Postfix). Dovecot can be configured as a "Front-End" proxy to the MSA to handle the authentication part of the transaction.
-- This email has been checked for viruses by AVG antivirus software. www.avg.com