submission_host auth
k v
sintensa at outlook.com
Wed Jan 18 05:38:45 UTC 2023
> There is no way for a forwarded email to SASL authenticate because no one is logged in or involved in the process of LMTP receiving mail for delivery from "the world". How is the MTA supposed to know the SASL password for staff at work.com?
dovecot auth with "master user" when sending emails via sumbission_host;
postfix:
1. using smtpd_sender_login_maps allow master user send messages with any mail from, like that:
smtpd_sender_login_maps = regexp:/etc/postfix/login_map.regexp
---
login_map.regexp:
/^master at example.com$/ .*
OR
2. in postfix master.cf declare dedicatet submission port allowed only for dovecot, without reject_sender_login_mismatch, like that:
2525 inet n - n - - smtpd
-o smtpd_helo_restrictions=permit_sasl_authenticated
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=permit_sasl_authenticated
I think it's better than
mynetworks = 10.0.1.0/24 #whole subnet, container ip assigned dynamically :(
with
smtpd_sender_restrictions =
permit_mynetworks
smtpd_relay_restrictions =
permit_mynetworks
What about SPF in the described scenario, you are right, SPF will be broken. Well.. its implementation feature
________________________________
От: dovecot <dovecot-bounces at dovecot.org> от имени dovecot at ptld.com <dovecot at ptld.com>
Отправлено: 17 января 2023 г. 23:18
Кому: dovecot at dovecot.org <dovecot at dovecot.org>
Тема: Re: submission_host auth
> Let's say we have dovecot + sieve plugin container.
> Dovecot configured to use remote SMTP submission host to send messages:
> submission_host = postfix.example.com:587
I reviewed my config to see how i did it. I think you are right and SASL isn't used here. I have dovecot and postfix on the same machine and in dovecot i set
submission_host = localhost:25
Then in my sieve filters i set
sieve_redirect_envelope_from = sender
I use SPF, DKIM, and DMARC
To test this i have (fictitious) staff at work.com with a forward filter to personal at home.com
I sent an email from customer at random.com to staff at work.com
@work.com server then sends a forwarded email to personal at home.com with To:staff at work.com and From:customer at random.com
Checking the @home.com logs i can see that SPF failed because @work.com server sent an email from @random.com, however it had valid DKIM signatures from both @work.com and @random.com so DMARC passed and the email was accepted.
I guess if the @random.com mail server only implemented SPF and not included a DKIM signature and DMARC policy then the @home.com server would have rejected the forwarded email.
I know this might not be the best solution you are looking for, but it is the best i could figure out to allow sieve forwarding. There is no way for a forwarded email to SASL authenticate because no one is logged in or involved in the process of LMTP receiving mail for delivery from "the world". How is the MTA supposed to know the SASL password for staff at work.com?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20230118/fabf33b9/attachment.htm>
More information about the dovecot
mailing list