Le 27 juil. 2019 à 14:30, Stephan Bosch <stephan@rename-it.nl> a écrit :

On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:
Hello,

I'm having trouble configuring the submission proxy.

I have configured the submission service as follow:

submission_host = smtp.example.com
submission_relay_host = localhost
submission_relay_port = 8587


Le 27 juil. 2019 à 14:30, Stephan Bosch <stephan@rename-it.nl> a écrit :

On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:
Hello,

I'm having trouble configuring the submission proxy.

I have configured the submission service as follow:

submission_host = smtp.example.com
submission_relay_host = localhost
submission_relay_port = 8587
submission_relay_rawlog_dir = /var/log/dovecot/
submission_relay_trusted = yes

My main issue is that until I login, dovecot-submission won't connect to the backend and query the capabilities and so won't report the right capabilities.

That mean that the first EHLO message don't get the right capabilities list.

"
EHLO example.com

250-smtp.example.com
250-8BITMIME
250-AUTH PLAIN LOGIN
250-BURL imap
250-CHUNKING
250-ENHANCEDSTATUSCODES
250-SIZE
250 PIPELINING
"

This list don't contains VRFY, DNS, and SIZE is not specified (all of these is present in backend EHLO response).
After login, if I send an new EHLO command, everything is properly reported. The raw log shows that unlike what the documentation says,
dovecot don't try to connect to the backend until the user is properly logged.

In my raw log I show that after I logged in dovecot-submission, the later open a connection to the backend and send a X-CLIENT command.


Now, if I try to force the capabilities by using:

submission_backend_capabilities = VRFY 8BITMIME DSN

dovecot properly reports all SMTP capabilities in the first EHLO response, but it completely stops emitting X-CLIENT command to the backend
and try to simply forward the command without authentication, which result in postfix rejecting the command with an unauthorized user error.

What is wrong with my configuration ?
Thanks.

Can you send us your complete configuration (output from `dovecot -n`)?

Yes (see below).

Some additional information:

===============

When I connect directly to dovecot-submission using nc and send an EHLO command, I got the following result (the SIZE is configured in dovecot config, that’s why it is properly announced), but no raw_log are generated at all.

$ nc smtp.example.com 587

220 smtp.example.com Dovecot ready.
EHLO mydomain.com
250-smtp.example.com
250-8BITMIME
250-AUTH 
250-BURL imap
250-CHUNKING
250-ENHANCEDSTATUSCODES
250-SIZE 41943040
250-STARTTLS
250 PIPELINING
QUIT
221 2.0.0 Bye

===============

Ditto if I use openssl s_client -starttls smtp -crlf -connect smtp.example.com:587 and send the EHLO after STARTTLS.

===============

For the record, here is the result of a direct connect to postfix:

$ nc 127.0.0.1 8587
220 smtp.example.com ESMTP Postfix
EHLO example.com
250-smtp.example.com
250-PIPELINING
250-SIZE 41943040
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8

===============

And here is the content of the row logs when a mail is sent.

======== rawlog.in

1564258521.813430 220 smtp.example.com ESMTP Postfix
1564258521.814206 250-smtp.example.com
1564258521.814206 250-PIPELINING
1564258521.814206 250-SIZE 41943040
1564258521.814206 250-VRFY
1564258521.814206 250-ETRN
1564258521.814206 250-STARTTLS
1564258521.814206 250-AUTH PLAIN LOGIN
1564258521.814206 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT
1564258521.814206 250-ENHANCEDSTATUSCODES
1564258521.814206 250-8BITMIME
1564258521.814206 250-DSN
1564258521.814206 250 SMTPUTF8
1564258521.848159 220 smtp.example.com ESMTP Postfix
1564258521.849506 250-smtp.example.com
1564258521.849506 250-PIPELINING
1564258521.849506 250-SIZE 41943040
1564258521.849506 250-VRFY
1564258521.849506 250-ETRN
1564258521.849506 250-STARTTLS
1564258521.849506 250-AUTH PLAIN LOGIN
1564258521.849506 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT
1564258521.849506 250-ENHANCEDSTATUSCODES
1564258521.849506 250-8BITMIME
1564258521.849506 250-DSN
1564258521.849506 250 SMTPUTF8
1564258521.854093 250 2.1.0 Ok
1564258521.909487 250 2.1.5 Ok
1564258521.983093 354 End data with <CR><LF>.<CR><LF>
1564258522.115312 250 2.0.0 Ok: queued as DDBCCD53B

======== rawlog.out

1564258521.813739 EHLO smtp.example.com
1564258521.846054 XCLIENT HELO=[10.188.153.106] PROTO=ESMTP LOGIN=info PORT=47564 ADDR=46.193.33.66
1564258521.848701 EHLO smtp.example.com
1564258521.850122 MAIL FROM:<service@example.com> AUTH=info
1564258521.889896 RCPT TO:<jddupas@xooloo.com>
1564258521.981094 DATA
1564258521.983757 Received: from [10.188.153.106] ([46.193.33.66])
1564258521.983757  by smtp.example.com with ESMTPSA
1564258521.983757  id cSDvMtmwPF14TAAABU9jsA
1564258521.983757  (envelope-from <service@example.com>)
1564258521.983757  for <jddupas@xooloo.com>; Sat, 27 Jul 2019 22:15:21 +0200
1564258521.984065 From: Jean-Daniel Dupas <service@example.com>
1564258521.984065 Content-Type: text/plain
1564258521.984065 Content-Transfer-Encoding: 7bit
1564258521.984065 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
1564258521.984065 Subject: Send test
1564258521.984065 Message-Id: <827EAD17-6C27-4BDF-AD94-F106E37745C1@example.com>
1564258521.984065 Date: Sat, 27 Jul 2019 22:15:19 +0200
1564258521.984065 To: Jean-Daniel Dupas <jddupas@xooloo.com>
1564258521.984065 X-Mailer: Apple Mail (2.3445.104.11)
1564258521.984065 
1564258521.984280 .
1564258543.105429 QUIT


================== doveconf -n

# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.1 (db5c74be)
# OS: Linux 4.15.0-55-generic x86_64 Ubuntu 18.04.2 LTS 
# Hostname: example.com
auth_mechanisms = plain login
auth_verbose = yes
hostname = smtp.example.com
imap_hibernate_timeout = 1 mins
mail_attribute_dict = file:%h/metadata
mail_gid = vmail
mail_location = mdbox:~/mail
mail_plugins = fts fts_xapian
mail_server_admin = mailto:sysadmin@example.com
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve
namespace inbox {
  inbox = yes
  location = 
  mailbox Archive {
    auto = subscribe
    special_use = \Archive
  }
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Junk {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix = 
  separator = /
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
plugin {
  fts = xapian
  fts_autoindex = yes
  fts_autoindex_exclude = \Junk
  fts_autoindex_exclude2 = \Trash
  fts_enforced = yes
  fts_languages = fr en
  fts_xapian = partial=2 full=20
  imapsieve_mailbox1_before = file:/var/lib/vmail/imapsieve/learn-spam.sieve
  imapsieve_mailbox1_causes = COPY
  imapsieve_mailbox1_name = Junk
  imapsieve_mailbox2_before = file:/var/lib/vmail/imapsieve/learn-ham.sieve
  imapsieve_mailbox2_causes = COPY
  imapsieve_mailbox2_from = Junk
  imapsieve_mailbox2_name = *
  imapsieve_mailbox3_before = file:/var/lib/vmail/imapsieve/unflag.sieve
  imapsieve_mailbox3_causes = COPY
  imapsieve_mailbox3_name = Trash
  plugin = fts fts_xapian
  sieve = file:~/sieve;active=~/.dovecot.sieve
  sieve_after = /var/lib/vmail/sieve-after
  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
  sieve_pipe_bin_dir = /var/lib/vmail/sieve-pipe
  sieve_plugins = sieve_imapsieve sieve_extprograms
}
postmaster_address = 
protocols = " imap lmtp sieve submission"
recipient_delimiter = -
service auth-worker {
  user = $default_internal_user
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0600
    user = postfix
  }
}
service doveadm {
  vsz_limit = 1 G
}
service imap-hibernate {
  unix_listener imap-hibernate {
    group = vmail
    mode = 0660
  }
  user = vmail
}
service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
  }
  process_min_avail = 2
}
service imap {
  unix_listener imap-master {
    user = vmail
  }
}
service indexer-worker {
  vsz_limit = 1 G
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
service managesieve-login {
  inet_listener sieve {
    address = localhost
  }
}
service submission-login {
  inet_listener submissions {
    haproxy = no
    port = 465
    reuse_port = no
    ssl = yes
  }
}
ssl_alt_cert = </var/lib/acme/imap.example.com/rsa/cert.pem
ssl_alt_key = # hidden, use -P to show it
ssl_cert = </var/lib/acme/imap.example.com/ecdsa/cert.pem
ssl_cipher_list = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_min_protocol = TLSv1.1
ssl_prefer_server_ciphers = yes
submission_host = smtp.example.com
submission_max_mail_size = 40 M
submission_relay_host = localhost
submission_relay_port = 8587
submission_relay_trusted = yes
userdb {
  driver = prefetch
}
userdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
protocol lmtp {
  mail_plugins = fts fts_xapian sieve
}
protocol imap {
  imap_metadata = yes
  mail_max_userip_connections = 25
  mail_plugins = fts fts_xapian imap_zlib imap_sieve
  namespace inbox {
    location = 
    mailbox Junk {
      autoexpunge = 30 days
    }
    mailbox Trash {
      autoexpunge = 30 days
    }
    prefix = 
  }
}
submission_relay_rawlog_dir = /var/log/dovecot/
submission_relay_trusted = yes

My main issue is that until I login, dovecot-submission won't connect to the backend and query the capabilities and so won't report the right capabilities.

That mean that the first EHLO message don't get the right capabilities list.

"
EHLO example.com

250-smtp.example.com
250-8BITMIME
250-AUTH PLAIN LOGIN
250-BURL imap
250-CHUNKING
250-ENHANCEDSTATUSCODES
250-SIZE
250 PIPELINING
"

This list don't contains VRFY, DNS, and SIZE is not specified (all of these is present in backend EHLO response).
After login, if I send an new EHLO command, everything is properly reported. The raw log shows that unlike what the documentation says,
dovecot don't try to connect to the backend until the user is properly logged.

In my raw log I show that after I logged in dovecot-submission, the later open a connection to the backend and send a X-CLIENT command.


Now, if I try to force the capabilities by using:

submission_backend_capabilities = VRFY 8BITMIME DSN

dovecot properly reports all SMTP capabilities in the first EHLO response, but it completely stops emitting X-CLIENT command to the backend
and try to simply forward the command without authentication, which result in postfix rejecting the command with an unauthorized user error.

What is wrong with my configuration ?
Thanks.

Can you send us your complete configuration (output from `dovecot -n`)?

Regards,

Stephan.