Please note, this is not like the other question asked about the same topic (wrong SSL setup, whatever)! My mail setup works fine, IMAP / POP3 login and smtp is just working.
But I have some log entries I do not understand.
The machine has two interfaces.
eth0 -> 172.16.5.12 (an internal IP)
eth1 -> public IP address
dovecot: auth: Debug: auth client connected (pid=x)
dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=172.16.5.12, lip=172.16.5.12, TLS, session=<xxxasd>
Postfix uses Dovecot as auth backend (if this is important). I do not perform any other IMAP login from the machine itself.
What I wonder is, why it uses the IP 172.16.5.12 and not even 127.0.0.1 if there would be any attemp.
What I tried:
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 993 -j DROP
Log entries are still there. If any config snippet is needed to debug what this is, please let me know!
--
I have another mailserver with nearly similar setup, on this server the rip and lip in the maillog is the public IP address from eth1.
The connection was from the monitoring, there was one checking the port if open and one which validated the SSL certificate. Thanks @Dom