Well, as I said, it's up to squirrelmail to actually provide the real client IP. Otherwise dovecot cannot know it. You can try turning on imap rawlogs (see https://wiki.dovecot.org/Debugging/Rawlog) and check if squirrelmail is forwarding client ip or not.

I added:to  /etc/dovecot/conf.d/10-master.conf

service postlogin {
  executable = script-login -d rawlog
  unix_listener postlogin {
  }
}

restarted Dovecot and wforce only seeing this, which shows the loopback address:

Mar 29 10:10:51 imap-login: Info: Login: user=<ouruser>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=10385, secured, session=<8KTTPDyFVIh/AAAB>
Mar 29 10:10:51 imap(ouruser)<10385><8KTTPDyFVIh/AAAB>: Info: Connection closed (UID FETCH finished 0.030 secs ago) in=308 out=27743 deleted=0 expunged=0 trashed=0 hdr_count=50 hdr_bytes=10263 body_count=0 body_bytes=0
Mar 29 10:10:51 auth: Debug: auth client connected (pid=10389)
Mar 29 10:10:51 auth: Debug: client in: AUTH    1       PLAIN   service=imap    secured session=2MwBPTyFWoh/AAAB        lip=127.0.0.1   rip=127.0.0.1   lport=143       rport=34906     resp=<hidden>
Mar 29 10:10:51 auth: Debug: policy(ouruser,127.0.0.1,<2MwBPTyFWoh/AAAB>): Policy request https://ourdomain:8084/?command=allow
Mar 29 10:10:51 auth: Debug: policy(ouruser,127.0.0.1,<2MwBPTyFWoh/AAAB>): Policy server request JSON: {"device_id":"","login":"ouruser","protocol":"imap","pwhash":"68","remote":"127.0.0.1","tls":false}
Mar 29 10:10:51 auth: Debug: http-client: peer ip.of.se.vr:8084 (shared): Peer reused
Mar 29 10:10:51 auth: Debug: http-client[1]: queue https://ourdomain:8084: Setting up connection to ip.of.se.vr:8084 (SSL=ourdomain) (2 requests pending)
Mar 29 10:10:51 auth: Debug: http-client[1]: request [Req7: POST https://ourdomain:8084/?command=allow]: Submitted (requests left=2)
Mar 29 10:10:51 auth: Debug: http-client[1]: peer ip.of.se.vr:8084: Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0)
Mar 29 10:10:52 auth: Debug: http-client: peer ip.of.se.vr:8084 (shared): Backoff timer expired
Mar 29 10:10:52 auth: Debug: http-client[1]: peer ip.of.se.vr:8084: Making new connection 1 of 1 (0 connections exist, 0 pending)
Mar 29 10:10:52 auth: Debug: http-client[1]: conn ip.of.se.vr:8084 [6]: HTTPS connection created (1 parallel connections exist)
Mar 29 10:10:52 auth: Debug: http-client[1]: conn ip.of.se.vr:8084 [6]: Connected
Mar 29 10:10:52 auth: Debug: http-client[1]: conn ip.of.se.vr:8084 [6]: Starting SSL handshake
Mar 29 10:10:52 auth: Debug: http-client[1]: conn ip.of.se.vr:8084 [6]: SSL handshake to ip.of.se.vr:8084 failed: Connection closed
Mar 29 10:10:52 auth: Debug: http-client[1]: peer ip.of.se.vr:8084: Connection failed (1 connections exist, 0 pending)
Mar 29 10:10:52 auth: Debug: http-client: peer ip.of.se.vr:8084: Failed to make connection (1 connections exist, 0 pending)
Mar 29 10:10:52 auth: Debug: http-client[1]: peer ip.of.se.vr:8084: Failed to establish any connection within our peer pool: SSL handshake to ip.of.se.vr:8084 failed: Connection closed (1 connections exist, 0 pending)
Mar 29 10:10:52 auth: Debug: http-client[1]: queue https://ourdomain:8084: Failed to set up connection to ip.of.se.vr:8084 (SSL=ourdomain): SSL handshake to ip.of.se.vr:8084 failed: Connection closed (1 peers pending, 2 requests pending)
Mar 29 10:10:52 auth: Debug: http-client: peer ip.of.se.vr:8084 (shared): Peer reused
Mar 29 10:10:52 auth: Debug: http-client[1]: queue https://ourdomain:8084: Setting up connection to ip.of.se.vr:8084 (SSL=ourdomain) (2 requests pending)
Mar 29 10:10:52 auth: Debug: http-client[1]: queue https://ourdomain:8084: Started new connection to ip.of.se.vr:8084 (SSL=ourdomain)
Mar 29 10:10:52 auth: Debug: http-client[1]: conn ip.of.se.vr:8084 [6]: Connection close
Mar 29 10:10:52 auth: Debug: http-client[1]: conn ip.of.se.vr:8084 [6]: Connection disconnect
Mar 29 10:10:52 auth: Debug: http-client[1]: conn ip.of.se.vr:8084 [6]: Detached peer
Mar 29 10:10:52 auth: Debug: http-client[1]: conn ip.of.se.vr:8084 [6]: Connection destroy
Mar 29 10:10:52 auth: Debug: http-client[1]: peer ip.of.se.vr:8084: Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0)
Mar 29 10:10:52 auth: Debug: http-client: peer ip.of.se.vr:8084 (shared): Starting backoff timer for 6400 msecs
Mar 29 10:10:53 auth: Debug: http-client[1]: queue https://ourdomain:8084: Timeout (now: 2019-03-29 10:10:53.503)
Mar 29 10:10:53 auth: Debug: http-client[1]: queue https://ourdomain:8084: Absolute timeout expired for request [Req6: POST https://ourdomain:8084/?command=report] (Request queued 2.001 secs ago, not yet sent, 0.000 in other ioloops)
Mar 29 10:10:53 auth: Debug: http-client[1]: request [Req6: POST https://ourdomain:8084/?command=report]: Error: 9008 Absolute request timeout expired (Request queued 2.001 secs ago, not yet sent, 0.000 in other ioloops)
Mar 29 10:10:53 auth: Debug: http-client[1]: queue https://ourdomain:8084: Dropping request [Req6: POST https://ourdomain:8084/?command=report]
Mar 29 10:10:53 auth: Error: policy(ouruser,127.0.0.1,<8KTTPDyFVIh/AAAB>): Policy server HTTP error: Absolute request timeout expired (Request queued 2.001 secs ago, not yet sent, 0.000 in other ioloops)
Mar 29 10:10:53 auth: Debug: http-client[1]: request [Req6: POST https://ourdomain:8084/?command=report]: Destroy (requests left=2)
Mar 29 10:10:53 auth: Debug: http-client[1]: request [Req6: POST https://ourdomain:8084/?command=report]: Free (requests left=1)
Mar 29 10:10:53 auth: Debug: http-client[1]: queue https://ourdomain:8084: New timeout
Mar 29 10:10:53 auth: Debug: http-client[1]: queue https://ourdomain:8084: Set request timeout to 2019-03-29 10:10:53.613 (now: 2019-03-29 10:10:53.503)
Mar 29 10:10:53 auth: Debug: http-client[1]: queue https://ourdomain:8084: Timeout (now: 2019-03-29 10:10:53.613)
Mar 29 10:10:53 auth: Debug: http-client[1]: queue https://ourdomain:8084: Absolute timeout expired for request [Req7: POST https://ourdomain:8084/?command=allow] (Request queued 2.000 secs ago, not yet sent, 0.000 in other ioloops)
 
What feature or setting would I be looking for in Squirrelmail to change to wforce?