Postfix offers many ways to Authenticate submissions, one of which is to co-opt the Dovecot authentication agent, but generally, only "submissions" are authenticated. Deliveries from the big bad internet are not authenticated. An architectural decision that was made many years ago.
Useful, thanks. ... May I then presume that port 587 should be going to Dovecot only and not Postfix? Otherwise, how was I supporting users with this configuration:
https://sciencetools.com/email.html
To save your looking, it's port 587 with "STARTTLS", and 993 with "SSL/TLS".
If the 587 is going to Dovecot and not Postfix, doesn't that make my case for me that this is a Dovecot issue because, as you state, "Deliveries from the big bad internet are not authenticated. An architectural decision that was made many years ago"?
If the relaying stops when the Dovecot authentication agent is shut down, perhaps you have a compromised machine "inside" your network that is sending spam through your Mail Submission Agent (probably also Postfix).
If that were true it'd still be happening because in "shutting down Dovecot", I merely closed off the ports at the firewall. So, there goes that theory.
Dovecot can be configured as a "Front-End" proxy to the MSA to handle the authentication part of the transaction.
I figured that's what was happening, thanks - presuming you mean Dovecot IS the MSA for Postfix in this instance.
Thanks, Richard