in syslog.1 imapd-ssl is frequently logged from the ip address of the droplet, why?

I am searching for intrusion / security holes on my droplet. My amazon shopping account has had it’s pwd changed twice this month, so it appears someone has access to my email which is server from my droplet. I am looking at log files to find out how, and in syslog.1 (current log file), I frequently see the lines:

Feb 26 11:38:34 diggy-ocn-drop imapd-ssl: Connection, ip=[::ffff:104.xxx.xxx.xxx] Feb 26 11:38:34 diggy-ocn-drop imapd-ssl: LOGIN, user=me@mydomain.co, ip=[::ffff:104.xxx.xxx.xxx], port=[44764], protocol=IMAP Feb 26 11:38:34 diggy-ocn-drop imapd-ssl: LOGOUT, user=me@mydomain.co, ip=[::ffff:104.xxx.xxx.xxx], headers=230, body=0, rcvd=199, sent=996, time=0, starttls=1 Feb 26 11:38:34 diggy-ocn-drop imapd-ssl: Connection, ip=[::ffff:104.xxx.xxx.xxx] Feb 26 11:38:34 diggy-ocn-drop imapd-ssl: LOGIN, user=me@mydomain.co, ip=[::ffff:104.xxx.xxx.xxx], port=[44766], protocol=IMAP Feb 26 11:38:36 diggy-ocn-drop imapd-ssl: LOGOUT, user=me@mydomain.co, ip=[::ffff:104.xxx.xxx.xxx], headers=92017, body=0, rcvd=1160, sent=164630, time=2, starttls=1 Feb 26 11:38:36 diggy-ocn-drop imapd-ssl: Connection, ip=[::ffff:104.xxx.xxx.xxx] Feb 26 11:38:36 diggy-ocn-drop imapd-ssl: LOGIN, user=me@mydomain.co, ip=[::ffff:104.xxx.xxx.xxx], port=[44768], protocol=IMAP Feb 26 11:38:36 diggy-ocn-drop imapd-ssl: LOGOUT, user=me@mydomain.co, ip=[::ffff:104.xxx.xxx.xxx], headers=0, body=0, rcvd=198, sent=1210, time=0, starttls=1

These lines are repeated every minute.

I’m trying to understand if this is FROM a program running on my Droplet, or is this normal on an iMap server, to show the ip address of the droplet, and not the ip address of the remote computer.

Could imap commands like this come from my smartphone / or desktop, which is checking for new email every minute?

I have already changed my email account password, but the OneTimePasscode from Amazon arrived again today, and someone got thru to amazon to change my password.