Thanks for the reply, postfix + dovecot sasl configured and working properly. My question is about "adding dovecot authentication when sending emails via submission_host".

Let's say we have dovecot + sieve plugin container.

Dovecot configured to use remote SMTP submission host to send messages:

submission_host = postfix.example.com:587

User foo@example.com has the following sieve script:

require ["fileinto", "copy", "vacation", "date", "relational"] ;

redirect :copy "bar@example.com";

keep;

baz@example.com sending email to foo@example.com

dovecot lmtp log:

lmtp(foo@example.com)<7670><QTsrNZjdxmP2HQAAaVGrHw>: Info: sieve: msgid=<63fce409f26b1a67785a475a00034a05@mail.example.com>: redirect action: failed to redirect message to <bar@example.com>: smtp(postfix.example.com:587): RCPT TO failed: 554 5.7.1 <bar@example.com>: Recipient address rejected: Access denied (permanent failure)

lmtp(foo@example.com)<7670><QTsrNZjdxmP2HQAAaVGrHw>: Info: sieve: msgid=<63fce409f26b1a67785a475a00034a05@mail.example.com>: stored mail into mailbox 'INBOX'

lmtp(foo@example.com)<7670><QTsrNZjdxmP2HQAAaVGrHw>: Info: sieve: Execution of script /var/dovecot/example.com/foo/foo.sieve failed, but implicit keep was successful (user logfile /var/dovecot/example.com/foo/foo.sieve.log may reveal additional details)

sieve.log

error: msgid=<63fce409f26b1a67785a475a00034a05@mail.example.com>: redirect action: failed to redirect message to <bar@example.com>: smtp(postfix.example.com:587): RCPT TO failed: 554 5.7.1 <bar@example.com>: Recipient address rejected: Access denied (permanent failure).

postfix log:

NOQUEUE: reject: RCPT from unknown[10.0.1.4]: 554 5.7.1 <bar@example.com>: Recipient address rejected: Access denied; from=<baz@example.com> to=<bar@example.com>

redirect :copy action failed, its expected behavior, dovecot do not auth when sending email via submisson_host.

If there is setting like

submission_host_master_user = master@example.com

submission_host_master_password = masterpass

to do authentication as master user in postfix who can send email as any user...

От: dovecot <dovecot-bounces@dovecot.org> от имени dovecot@ptld.com <dovecot@ptld.com>
Отправлено: 17 января 2023 г. 18:25
Кому: dovecot@dovecot.org <dovecot@dovecot.org>
Тема: Re: submission_host auth

> When using dovecot container with sieve plugin there is no sendmail to use for sending email for sieve redirect action for example. We can use submission_host instead https://doc.dovecot.org/settings/core/#core_setting-submission_host but there is no way to specify credentials for auth in remote MTA. Submission_relay_* settings e.g. submission_relay_master_user relate to dovecot submission service. Using something like permit_mynetworks in remote MTA is not acceptable for security reasons.
>
> Is it possible to add authorization in the remote MTA using submission_host?

You start the auth service in dovecot, then tell the MTA to use it.
For example, if you use postfix this explains how:

https://doc.dovecot.org/configuration_manual/howto/postfix_and_dovecot_sasl/