diff --git a/core/nginx/dovecot/proxy.conf b/core/nginx/dovecot/proxy.conf
index a6e64719..aec5aa5e 100644
--- a/core/nginx/dovecot/proxy.conf
+++ b/core/nginx/dovecot/proxy.conf
@@ -96,14 +96,12 @@ protocol imap {
 }
 
 service imap-login {
-{%- if PORT_143 %}
   inet_listener imap {
-    port = 143
+    port = {% if PORT_143 %}143{% else %}0{% endif %}
 {%- if PROXY_PROTOCOL_143 %}
     haproxy = yes
 {% endif %}
   }
-{% endif %}
 {%- if TLS_993 and PORT_993 %}
   inet_listener imaps {
     port = 993
@@ -119,14 +117,12 @@ service imap-login {
 }
 
 service pop3-login {
-{%- if PORT_110 %}
   inet_listener pop3 {
-    port = 110
+    port = {% if PORT_110 %}110{% else %}0{% endif %}
 {%- if PROXY_PROTOCOL_110 %}
     haproxy = yes
 {% endif %}
   }
-{% endif %}
 {%- if TLS_995 and PORT_995 %}
   inet_listener pop3s {
     port = 995
@@ -148,14 +144,9 @@ service lmtp {
 
 service submission-login {
    inet_listener submission {
-{%- if PORT_587 %}
-    port = 587
+    port = {% if PORT_587 %}587{% else %}0{% endif %}
 {%- if PROXY_PROTOCOL_587 %}
     haproxy = yes
-{% endif %}
-{%- else %}
-# if the section is unset the port is bound anyways
-   port = 0
 {% endif %}
    }
 {%- if TLS_465 and PORT_465 %}
diff --git a/towncrier/newsfragments/3307.bugfix b/towncrier/newsfragments/3307.bugfix
new file mode 100644
index 00000000..3639e430
--- /dev/null
+++ b/towncrier/newsfragments/3307.bugfix
@@ -0,0 +1 @@
+Ensure that ports that do not feature in PORTS are not bound