Credentials MUST EXCLUSIVELY be exchanged between mail client and server and NEVER be leaked to anyone. Noone - especially no software vendor - has a right to for whatever reason harvest account credentials and send them back to his server without explicit user consent and then on top of that connect back to the mail server with them.
Feb 10 19:03:20 gerda dovecot[8541]: imap-login: Login: user=****, method=PLAIN, rip=34.197.140.199, lip=****, mpid=9975, TLS, session=Both IP addresses 34.197.140.199 (Amazon NET34) and 54.174.226.182 (Amazon NET54) belong to the Amazon EC2/AWS IP ranges.Feb 10 19:03:21 gerda dovecot[8541]: imap(****)<9975> : Logged out in=38 out=566 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 Feb 10 19:03:22 gerda dovecot[8541]: imap-login: Login: user=****, method=PLAIN, rip=54.174.226.182, lip=****, mpid=9977, TLS, session= Feb 10 19:03:30 gerda dovecot[8541]: imap-login: Login: user=****, method=PLAIN, rip=54.174.226.182, lip=****, mpid=9981, TLS, session=<2IJrdt9k9qA2ruK2>
2018-02-11 first mail sent to abuse@amazonaws.com and privacy@bluemail.me
2018-02-15 answer from Amazon, citing BlueMail's response to Amazon's inquiry (BlueMail has not answered my direct question yet):
""Our server is opening legitimate IMAP connections for users' accounts which use our Android e-mail client, this is done to be able to send push notification on new e-mails on their accounts. If further information is required you can direct them back to report@bluemail.me ""
2021-10-23 After some tests on Andoid and iPhone the behaviour was no longer observed.
Feb 11 01:09:27 gerda dovecot[8541]: imap(****)<28626>: Connection closed (STATUS finished 8.359 secs ago) in=646 out=3974 deleted=0 expunged=0 trashed=0 hdr_count=2 hdr_bytes=146 body_count=0 body_bytes=0 [last logout during app deinstallation] Feb 11 13:17:10 gerda dovecot[8541]: imap(****)<9981><2IJrdt9k9qA2ruK2>: Connection closed (IDLE finished 54.887 secs ago) in=4447 out=37491 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 Feb 11 13:45:14 gerda dovecot[8541]: imap-login: Login: user=****, method=PLAIN, rip=54.174.226.182, lip=****, mpid=6632, TLS, session= [password change 15:11] Feb 11 15:11:45 gerda dovecot[27158]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=****, method=PLAIN, rip=54.174.226.182, lip=****, TLS, session= Feb 12 03:43:55 gerda dovecot[21467]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=****, method=PLAIN, rip=54.174.226.182, lip=****, TLS, session= Feb 13 03:43:29 gerda dovecot[21467]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=****, method=PLAIN, rip=54.174.226.182, lip=****, TLS, session= Feb 14 03:42:54 gerda dovecot[21467]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=****, method=PLAIN, rip=54.174.226.182, lip=****, TLS, session=<8iBUESNlfq02ruK2> Feb 14 03:48:04 gerda dovecot[21467]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=****, method=PLAIN, rip=54.174.226.182, lip=****, TLS, session= Feb 15 03:43:09 gerda dovecot[21467]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=****, method=PLAIN, rip=54.174.226.182, lip=****, TLS, session= Feb 15 03:48:17 gerda dovecot[21467]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=****, method=PLAIN, rip=54.174.226.182, lip=****, TLS, session= Feb 16 03:42:56 gerda dovecot[14042]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=****, method=PLAIN, rip=54.174.226.182, lip=****, TLS, session= Feb 16 03:48:03 gerda dovecot[14042]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=****, method=PLAIN, rip=54.174.226.182, lip=****, TLS, session= Feb 17 03:43:13 gerda dovecot[14042]: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=****, method=PLAIN, rip=54.174.226.182, lip=****, TLS, session=