On 03/11/2020 12:31 Piotr Auksztulewicz <dcml@hasiok.net> wrote:

On Mon, Nov 02, 2020 at 09:33:08PM +0100, R. Diez wrote:

...

OK, so I gather that the Submission Server cannot do that (yet).

And probably would never do. It isn't its job description.

Actually, it is just a convenience/workaround feature, which comes handy only if your own MTA cannot handle dovecot's SASL authentication (must be something real strange) or there are some integration/security/policy issue perceived (but I cannot think of any, actually). In this case you can set up dovecot's submission server, which uses dovecot's authentication settings, so you have single source of authentication, and whitelist dovecot IP address in your MTA so it accepts anything that dovecot's submission server lets through. But I don't think it is a good idea personally, it is more open to exploitation this way, unless the address is 127.0.0.1, in which case you can simply set up SASL over Unix sockets, which is as secure as your host server is.

Submission service is not only a proxy, it

• provides authentication natively from Dovecot
• provides features like BURL, and maybe in future outbound Sieve

but it does require real MTA behind.

-- Aki