auth between postfix and dovecot?

Shawn Heisey elyograg at elyograg.org
Sat Apr 23 14:08:32 UTC 2022 

On 4/22/2022 10:35 PM, ミユナ (alice) wrote:
> my question is:
>
> when postfix talks to dovecot, does it require user's 
> username/password for authentication? or this communication just goes 
> without authentication?
>
> I asked this, b/c my webmail send mail from localhost has been going 
> without authentication to postifx. so i am not sure if postfix talks 
> to dovecot without requiring auth too.

My setup is virtual users in a postfixadmin database.  Dovecot does all 
authentication, even with posfix.  I believe the config snippets I have 
included below are the relevant things that make it possible for postfix 
to talk to dovecot for mail delivery and authentication.

Mail sent from localhost on port 25 does not require authentication on 
my system, because 127.0.0.0/8 is in postfix's mynetworks config and 
port 25's access restrictions include permit_mynetworks.  Anything sent 
via submission (port 587) does require auth, even from trusted 
networks.  If you can configure your webmail to use submission instead 
of smtp, maybe that can be authenticated.  You'll need to consult 
support resources for your webmail to see if that is possible.   I can 
say for sure that roundcube can do it ... I have roundcube configured to 
talk to port 587, which as mentioned, ALWAYS requires authentication.

When postfix sends mail to dovecot for delivery, I'm pretty sure that 
happens without authentication.  It's LMTP via unix socket, not 
something an outside client can access directly.

# In 10-master.conf
service lmtp {
   unix_listener lmtp {
     #mode = 0666
   }
}

service auth {
   unix_listener auth-userdb {
     mode = 0666
     user = vmail
     group = mail
   }

   unix_listener /var/spool/postfix/private/auth {
     mode = 0666
     user = postfix
     group = postfix
   }
}


# In 10-auth.conf
disable_plaintext_auth = yes
auth_mechanisms = plain
!include auth-sql.conf.ext


# In postfix master.cf
dovecot      unix   -        n      n       -       -   pipe
   flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/dovecot-lda -d 
$(recipient)


# In postfix main.cf
# Use Dovecot to authenticate.
smtpd_sasl_type = dovecot
# Referring to /var/spool/postfix/private/auth
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
#broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
smtpd_sasl_authenticated_header = yes

# Tell postfix to hand off mail to the definition for dovecot in master.cf
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

More information about the dovecot mailing list