Useful, thanks. ... May I then presume that port 587 should be going to Dovecot only and not Postfix? Otherwise, how was I supporting users with this configuration:
No, you should not assume port 587 (or port 465) goes to Dovecot. Postfix has enough smarts to handle the authentication itself and many systems will be configured this way. Some systems may use the Dovecot submission proxy as a convenience. If Dovecot and Postfix are running on the same machine, the MUA would not be able to tell the difference.
If that were true it'd still be happening because in "shutting down Dovecot", I merely closed off the ports at the firewall. So, there goes that theory.
I couldn't draw any conclusion without knowing your network architecture (where the firewall sits) and what ports you closed.
I figured that's what was happening, thanks - presuming you mean Dovecot IS the MSA for Postfix in this instance.
Dovecot does not maintain a message queue for submissions and does not take responsibility for delivery, so I don't think it would be correct to call it the "MSA", it is just acting as a proxy.
As an aside, you should consider the post from Jeremy Ardley and in particular, the Postfix setting "permit_sasl_authenticated". In many setups, Postfix will relay traffic from "trusted networks" or "authenticated users". It may well be that you do NOT have an open relay but simply that the spammers know one of your user's password.
-- This email has been checked for viruses by AVG antivirus software. www.avg.com