Hi Jacky,
if postfix did not log a specific error to your maillog you could change smtpd to smtpd -v in master.cf to get more debug output or use debug_peer_list to see what smtp commands are sent:
http://www.postfix.org/DEBUG_README.html
Typically smtp auth looks like this:
S: 220 smtp.example.com ESMTP server ready C: EHLO jgm.example.com S: 250-smtp.example.com S: 250 AUTH CRAM-MD5 DIGEST-MD5 C: AUTH FOOBAR S: 504 Unrecognized authentication type.
or
C: AUTH CRAM-MD5 S: 334 PENCeUxFREJoU0NnbmhNWitOMjNGNndAZWx3b29kLmlubm9zb2Z0LmNvbT4= C: ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg2ZQ== S: 235 Authentication successful.
C = client, S = server
Depending on your setup the password (maybe base64 encoded) or hash must also be sent for verification.
Or you could try to authenticate with a master user for all connections by setting
submission_relay_master_user = submission_relay_password =
in dovecot, see https://wiki.dovecot.org/Submission
Best regards Gerald
Am 09.01.2019 um 11:08 schrieb Jacky jacky@jesstech.com:
Hi Gerald,
in my postfix/main.cf
smtpd_sasl_authenticated_header = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname smtpd_sasl_type = dovecot smtpd_sasl_path = /var/run/dovecot/auth-client broken_sasl_auth_clients = yes
I am already using dovecot for SASL
The dovecot submission service authenticates users and already added the AUTH= parameter in the MAIL FROM
MAIL FROM:jacky@xxx.com AUTH=jacky@xxx.com SIZE=1430
But, it seems that postfix does not accept the AUTH= parameter and reject the sender as no logged in.
Best regards,
Jacky
On 9/1/2019 5:49 PM, Gerald Galster wrote:
Hi Jacky,
in postfix/main.cf you typically set something like
smtpd_sasl_auth_enable=yes smtpd_sasl_type=cyrus smtpd_sasl_exceptions_networks=$mynetworks smtpd_sasl_security_options=noanonymous smtpd_sasl_authenticated_header=yes broken_sasl_auth_clients=yes smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_recipient_restrictions might already exist in main.cf and in that case has to be extended
postfix can verify login/passwords via sasl but it does not store these credentials, so you need to install saslauthd and add user/pass there or use a dovecot instance that already authenticates users for pop/imap.
http://www.postfix.org/SASL_README.html https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL
Best regards Gerald
Am 09.01.2019 um 10:15 schrieb Jacky jacky@jesstech.com:
Hi,
Anyone know how to enable this SMTP AUTH feature with Postfix?
Regards,
Jacky
On 7/4/2018 3:40 AM, Paul Hecker wrote:
Hi,
On 6. Apr 2018, at 18:58, Odhiambo Washington odhiambo@gmail.com wrote:
Hi Paul,
Care to share your config (even OFFLIST) that has successfully integrated Dovecot Submission service with Exim?? here the steps I have done to integrate Dovecot submission in Exim:
- Create and set the acl_smtp_mailauth ACL:
acl_smtp_mailauth = acl_check_mailauth
acl_check_mailauth: accept hosts = <; 127.0.0.1 ; ::1 condition = ${if eq{$interface_port}{10025}} log_message = Will accept MAIL AUTH parameter for $authenticated_sender deny
add a deny fo all connections to 10025 without MAIL AUTH parameter in acl_smtp_mail ACL:
deny condition = ${if eq{$interface_port}{10025}} condition = ${if eq{$authenticated_sender}{}} message = All connections on port $interface_port need MAIL AUTH sender
in Dovecot, add the following submission parameters
submission_relay_port = 10025 submission_relay_ssl = starttls submission_relay_ssl_verify = no
All the remaining parts of the Dovecot config is the default for submission protocol/service, copied either from the sources (default config) or from here:
https://wiki.dovecot.org/Submission
Feel free is you have any further questions.
Regards, Paul
I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this.
Thanks in advance.
On 6 April 2018 at 19:15, Paul Hecker paul@iwascoding.com wrote: Hi,
Thanks you very much. This did the trick!
On 6. Apr 2018, at 15:56, Stephan Bosch stephan@rename-it.nl wrote:
Op 6-4-2018 om 13:52 schreef Paul Hecker: > Hi, > > Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) authentication to the SMTP server using submission. Reason why I need it is sender spoofing (do not want my employees to send messages in behalf of me). > > In exim I can disable sender spoofing with the authenticated user. When sending through dovecot, exim either does not accept the email (need auth) or relay every sender address (because relaying from localhost). > > Am I missing a setting or do I need any additional field in the (MySQL) user_query/password_query to forward the password? > > You can find my config here: > > https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8 That would be possible using the following SMTP AUTH feature:
https://tools.ietf.org/html/rfc4954#section-5
Which is apparently supported by Exim: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentica... This requires explicit configuration, so it will not work out of the box. Here is what I did:
I had to add the acl_smtp_mailauth to only allow this on a certain port. Then I had to duplicate my code for sender spoofing for authenticated users and change the $authenticated_id -> $authenticated_sender.
Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually sends the MAIL AUTH parameter.
The Dovecot Submission service should support this too. It sends an AUTH parameter with the MAIL command (currently only then the username is a valid SMTP address). However, I must say, I haven't tested this recently. I can confirm that it works (only with TLS with my current configuration, see above).
I can try this in a few days. Feel free to experiment with this yourself.
Regards,
Stephan. Thanks again, Paul
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."