I'm trying to set up dovecot-submission server which will listen on external ports 465 (SSL) and 587 (StartTLS) and relay mail to sendmail waiting on localhost port 587.
I have dovecot submission listening on the external ports and sendmail listening on the localhost port.
I want dovecot-submission doing the authentication on the external ports because sendmail doesn't use the /etc/dovecot/users file.
I can authenticate to dovecot:
auth: Debug: client in: CONT<hidden> auth: Debug: passwd-file(mgrant@top.networkguild.org,217.35.29.56,<blablabla>): Performing passdb lookup auth: Debug: passwd-file(mgrant@top.networkguild.org,217.35.29.56,<blablabla>): lookup: user=mgrant@top.networkguild.org file=/etc/dovecot/users auth: Debug: passwd-file(mgrant@top.networkguild.org,217.35.29.56,<blablabla>): Finished passdb lookup auth: Debug: auth(mgrant@top.networkguild.org,217.35.29.56,<blablabla>): Auth request finished auth: Debug: client passdb out: OK 1 user=mgrant@top.networkguild.org
But in the sendmail logs, dovecot *is* trying to authenticate and it's trying to use a username that sendmail can't look up in the password file:
top sm-mta[1012721]: 39KCg8h31012721: --- 220 top.networkguild.org ESMTP Sendmail 8.17.2/8.17.2/Debian-1~bpo12+1; Fri, 20 Oct 2023 12:42:08 GMT; (No UCE/UBE) logging access from: localhost(OK)-localhost [IPv6:0:0:0:0:0:0:0:1] top sm-mta[1012721]: 39KCg8h31012721: <-- EHLO top.networkguild.org top sm-mta[1012721]: 39KCg8h31012721: --- 250-top.networkguild.org Hello localhost [IPv6:0:0:0:0:0:0:0:1], pleased to meet you top sm-mta[1012721]: 39KCg8h31012721: --- 250-ENHANCEDSTATUSCODES top sm-mta[1012721]: 39KCg8h31012721: --- 250-PIPELINING top sm-mta[1012721]: 39KCg8h31012721: --- 250-EXPN top sm-mta[1012721]: 39KCg8h31012721: --- 250-VERB top sm-mta[1012721]: 39KCg8h31012721: --- 250-8BITMIME top sm-mta[1012721]: 39KCg8h31012721: --- 250-SIZE top sm-mta[1012721]: 39KCg8h31012721: --- 250-AUTH DIGEST-MD5 CRAM-MD5 top sm-mta[1012721]: 39KCg8h31012721: --- 250-STARTTLS top sm-mta[1012721]: 39KCg8h31012721: --- 250-DELIVERBY top sm-mta[1012721]: 39KCg8h31012721: --- 250 HELP top sm-mta[1012721]: 39KCg8h31012721: <-- MAIL FROM:mgrant@top.networkguild.org AUTH=mgrant@top.networkguild.org top sm-mta[1012721]: 39KCg8h31012721: --- 530 5.7.0 Authentication required top dovecot: submission(mgrant@top.networkguild.org)<1012719><blablabla>: Error: Relay server requires authentication: 530 5.7.0 Authentication required top dovecot: submission(mgrant@top.networkguild.org)<1012719><blablabla>: Disconnected: Internal error occurred. Refer to server log for more information. (unfinished MAIL command) (state=MAIL FROM) in=41 out=121 top sm-mta[1012721]: 39KCg8h31012721: <-- QUIT
How do I stop dovecot from proposing AUTH to the relay server?
Once I am authenticated via dovecot, the relay which is only available on localhost, doesn't need to authenticate. It should be as if bin-mail is submitting to localhost.
I tried setting up a user with a password but no shell and configure this into submission_relay_master_user and submission_relay_password but this leads to other problems. Dovecot wants to do PLAIN auth, so I then enable starttls, but then the ssl certificate doesn't match because I'm connecting to localhost, not top.networkguild.org. So it seems clear, the relay should a) not auth, and b) not do ssl.
Note that this is not an open relay, it's only open on the loopback interface.
Michael Grant