Yes Dovecot will proxy the connection to the real MTA. My question is why authentication is always required on Dovecot when submission is used, as MTAs usually have an option to allow non-authenticated relaying.

I am quite curious about the circumstances of this question. I was not aware that Dovecot actually offered mail submission service. If Dovecot does offer such a service, then it will have to relay the submitted mail to the real MTA, which is very likely not Dovecot. At the moment I have Postfix set up as MTA for that purpose —

Relaying on port 25 is usually quick and easy to whitelist for certain permitted hosts, but otherwise port 587, optionally with STARTTLS, and/or port 465 with SSL/TLS is generally set up for user authenticated mail submissions.

See also:
https://www.mailgun.com/blog/which-smtp-port-understanding-ports-25-465-587/

On July 28, 2021 6:10:28 AM AKDT, Dan Conway <darkc0de@archnix6.net> wrote:

Hello,

Is it possible to disable the requirement for authentication on the 
submission service? I'm trying to require authentication for all, except 
for a handful of IP addresses.

Thank you.


ehlo test.com
250-aaa
250-AUTH PLAIN LOGIN
250-BURL imap
250-CHUNKING
250-DSN
250-ENHANCEDSTATUSCODES
250-SIZE
250 PIPELINING
MAIL FROM:<test@test.com>
530 5.7.0 Authentication required.

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.