Disable authentication for submission service
Hello,
Is it possible to disable the requirement for authentication on the submission service? I'm trying to require authentication for all, except for a handful of IP addresses.
Thank you.
ehlo test.com 250-aaa 250-AUTH PLAIN LOGIN 250-BURL imap 250-CHUNKING 250-DSN 250-ENHANCEDSTATUSCODES 250-SIZE 250 PIPELINING MAIL FROM:<test@test.com> 530 5.7.0 Authentication required.
I am quite curious about the circumstances of this question. I was not aware that Dovecot actually offered mail submission service. If Dovecot does offer such a service, then it will have to relay the submitted mail to the real MTA, which is very likely not Dovecot. At the moment I have Postfix set up as MTA for that purpose —
Relaying on port 25 is usually quick and easy to whitelist for certain permitted hosts, but otherwise port 587, optionally with STARTTLS, and/or port 465 with SSL/TLS is generally set up for user authenticated mail submissions.
See also: https://www.mailgun.com/blog/which-smtp-port-understanding-ports-25-465-587/
On July 28, 2021 6:10:28 AM AKDT, Dan Conway <darkc0de@archnix6.net> wrote:
Hello,
Is it possible to disable the requirement for authentication on the submission service? I'm trying to require authentication for all, except for a handful of IP addresses.
Thank you.
ehlo test.com 250-aaa 250-AUTH PLAIN LOGIN 250-BURL imap 250-CHUNKING 250-DSN 250-ENHANCEDSTATUSCODES 250-SIZE 250 PIPELINING MAIL FROM:<test@test.com> 530 5.7.0 Authentication required.
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Yes Dovecot will proxy the connection to the real MTA. My question is why authentication is /always/ required on Dovecot when submission is used, as MTAs usually have an option to allow non-authenticated relaying.
On 7/28/21 10:19 AM, justina colmena ~biz wrote:
I am quite curious about the circumstances of this question. I was not aware that Dovecot actually offered mail submission service. If Dovecot does offer such a service, then it will have to relay the submitted mail to the real MTA, which is very likely not Dovecot. At the moment I have Postfix set up as MTA for that purpose —
Relaying on port 25 is usually quick and easy to whitelist for certain permitted hosts, but otherwise port 587, optionally with STARTTLS, and/or port 465 with SSL/TLS is generally set up for user authenticated mail submissions.
See also: https://www.mailgun.com/blog/which-smtp-port-understanding-ports-25-465-587/ <https://www.mailgun.com/blog/which-smtp-port-understanding-ports-25-465-587/>
On July 28, 2021 6:10:28 AM AKDT, Dan Conway <darkc0de@archnix6.net> wrote:
Hello, Is it possible to disable the requirement for authentication on the submission service? I'm trying to require authentication for all, except for a handful of IP addresses. Thank you. ehlo test.com 250-aaa 250-AUTH PLAIN LOGIN 250-BURL imap 250-CHUNKING 250-DSN 250-ENHANCEDSTATUSCODES 250-SIZE 250 PIPELINING MAIL FROM:<test@test.com> 530 5.7.0 Authentication required.
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Am 28.07.2021 um 19:08 schrieb Dan Conway:
Yes Dovecot will proxy the connection to the real MTA. My question is why authentication is /always/ required on Dovecot when submission is used, as MTAs usually have an option to allow non-authenticated relaying.
And relaying without authentication is a bad thing you should avoid.
Alexander
"Dan" == Dan Conway <darkc0de@archnix6.net> writes:
Are you sure? I know that postfix can use the same backend database for authentication as dovecot, and dovecot can be the master, but dovecot does NOT listen on port 25 or 587 at all, those are all just used by Postfix.
Dan> Yes Dovecot will proxy the connection to the real MTA. My Dan> question is why authentication is always required on Dovecot when Dan> submission is used, as MTAs usually have an option to allow Dan> non-authenticated relaying.
Dan> On 7/28/21 10:19 AM, justina colmena ~biz wrote:
Dan> I am quite curious about the circumstances of this question. I was not aware that Dovecot Dan> actually offered mail submission service. If Dovecot does offer such a service, then it will Dan> have to relay the submitted mail to the real MTA, which is very likely not Dovecot. At the Dan> moment I have Postfix set up as MTA for that purpose —
Dan> Relaying on port 25 is usually quick and easy to whitelist for certain permitted hosts, but Dan> otherwise port 587, optionally with STARTTLS, and/or port 465 with SSL/TLS is generally set up Dan> for user authenticated mail submissions.
Dan> See also: Dan> https://www.mailgun.com/blog/which-smtp-port-understanding-ports-25-465-587/
Dan> On July 28, 2021 6:10:28 AM AKDT, Dan Conway <darkc0de@archnix6.net> wrote:
Dan> Hello, Dan> Is it possible to disable the requirement for authentication on the Dan> submission service? I'm trying to require authentication for all, except Dan> for a handful of IP addresses. Dan> Thank you.
Dan> ehlo test.com Dan> 250-aaa Dan> 250-AUTH PLAIN LOGIN Dan> 250-BURL imap Dan> 250-CHUNKING Dan> 250-DSN Dan> 250-ENHANCEDSTATUSCODES Dan> 250-SIZE Dan> 250 PIPELINING Dan> MAIL FROM:<test@test.com> Dan> 530 5.7.0 Authentication required.
Dan> -- Dan> Sent from my Android device with K-9 Mail. Please excuse my brevity.
Are you sure? I know that postfix can use the same backend database for authentication as dovecot, and dovecot can be the master, but dovecot does NOT listen on port 25 or 587 at all, those are all just used by Postfix.
Not true anymore. Dovecot added a submission service in a recent version. Dovecot can listen on 587, take the email, and pass it on to postfix to then go out to the world.
Definitely possible - just not sure of the desired use case for this.
But given the devs did it, there just be some demand…
https://doc.dovecot.org/admin_manual/submission_server/
On 28 Jul 2021, at 11:18, John Stoffel wrote:
"Dan" == Dan Conway <darkc0de@archnix6.net> writes:
Are you sure? I know that postfix can use the same backend database for authentication as dovecot, and dovecot can be the master, but dovecot does NOT listen on port 25 or 587 at all, those are all just used by Postfix.
Dan> Yes Dovecot will proxy the connection to the real MTA. My Dan> question is why authentication is always required on Dovecot when Dan> submission is used, as MTAs usually have an option to allow Dan> non-authenticated relaying.
Dan> On 7/28/21 10:19 AM, justina colmena ~biz wrote:
Dan> I am quite curious about the circumstances of this question. I was not aware that Dovecot Dan> actually offered mail submission service. If Dovecot does offer such a service, then it will Dan> have to relay the submitted mail to the real MTA, which is very likely not Dovecot. At the Dan> moment I have Postfix set up as MTA for that purpose —
Dan> Relaying on port 25 is usually quick and easy to whitelist for certain permitted hosts, but Dan> otherwise port 587, optionally with STARTTLS, and/or port 465 with SSL/TLS is generally set up Dan> for user authenticated mail submissions.
Dan> See also: Dan>
https://www.mailgun.com/blog/which-smtp-port-understanding-ports-25-465-587/Dan> On July 28, 2021 6:10:28 AM AKDT, Dan Conway <darkc0de@archnix6.net> wrote:
Dan> Hello,
Dan> Is it possible to disable the requirement for authentication on the Dan> submission service? I'm trying to require authentication for all, except Dan> for a handful of IP addresses.
Dan> Thank you.
Dan> ehlo test.com Dan> 250-aaa Dan> 250-AUTH PLAIN LOGIN Dan> 250-BURL imap Dan> 250-CHUNKING Dan> 250-DSN Dan> 250-ENHANCEDSTATUSCODES Dan> 250-SIZE Dan> 250 PIPELINING Dan> MAIL FROM:<test@test.com> Dan> 530 5.7.0 Authentication required.
Dan> -- Dan> Sent from my Android device with K-9 Mail. Please excuse my brevity.
Dne středa 28. července 2021 19:08:17 CEST, Dan Conway napsal(a):
Yes Dovecot will proxy the connection to the real MTA. My question is why authentication is /always/ required on Dovecot when submission is used, as MTAs usually have an option to allow non-authenticated relaying.
I thought that mandatory authentication is the whole point of having mail submission on other port than 25. But looking at the RFC: https://datatracker.ietf.org/doc/html/rfc6409#section-4.3 It says that authorization by other means (being within a protected subnetwork) is possible.
Anyway, as dovecot ultimately passes the mail to MTA, it is much easier to make the unauthenticated IP relay list in MTA, and submit on port 25.
Or is there something special you want doevecot to do with those mails?
-- Best Regards Vladislav Kurz
On 2021-07-29 10:12, Vladislav Kurz wrote:
I thought that mandatory authentication is the whole point of having mail submission on other port than 25. But looking at the RFC: https://datatracker.ietf.org/doc/html/rfc6409#section-4.3 It says that authorization by other means (being within a protected subnetwork) is possible.
from the time of pop-before-smtp rfc1918 have always worked for all, when a single ip could open up smtp auth for multiple rfc1918 ips in the time frame could relay all the mails without any needs for provide any password for it
hopefully none like to see this back
not even on ipv6 btw
Anyway, as dovecot ultimately passes the mail to MTA, it is much easier to make the unauthenticated IP relay list in MTA, and submit on port 25.
it could still be another port then 25 there, it will be a mess to mix outbound and inbound on same port
Or is there something special you want doevecot to do with those mails?
hopefull no, i think dovecot have submission for director hosts to still use one single mta server for outbound, not to change hos end users uses it
On 2021-07-28 19:08, Dan Conway wrote:
Yes Dovecot will proxy the connection to the real MTA. My question is why authentication is _always_ required on Dovecot when submission is used, as MTAs usually have an option to allow non-authenticated relaying.
where is this dokumented ?, what mta support that teori ?
dovecot still need auth for sending mails even its real mta sending to another mta, diffrent is that its mta that had that job of submissions, but it have never being a free ride in the park as it would make it a open relay
dont do this ever
Making no assertions\judgements as to the goal or intended path to get there…just helping with the original question…
Based on the submission server link below, it appears you will need to use the same auth mechanisms for submission as you do for imap\pop. So essentially, the same type of config for allowing no auth imap\pop connections should be how you cfg no auth submission connections.
In addition to the following links, I would also take a look at Dovecot’s default auth config file for more details on how to allow access without auth…
https://doc.dovecot.org/admin_manual/submission_server/ https://doc.dovecot.org/configuration_manual/authentication/
On 28 Jul 2021, at 7:10, Dan Conway wrote:
Hello,
Is it possible to disable the requirement for authentication on the submission service? I'm trying to require authentication for all, except for a handful of IP addresses.
Thank you.
ehlo test.com 250-aaa 250-AUTH PLAIN LOGIN 250-BURL imap 250-CHUNKING 250-DSN 250-ENHANCEDSTATUSCODES 250-SIZE 250 PIPELINING MAIL FROM:<test@test.com> 530 5.7.0 Authentication required.
Thank you for the pointers. People say RTFM, as if that's rude, but it's good to know, especially if there is documentation of ongoing development or a "road map" for future work.
On July 28, 2021 10:51:50 AM AKDT, Antonio Leding <tech@leding.net> wrote:
Making no assertions\judgements as to the goal or intended path to get there…just helping with the original question…
Based on the submission server link below, it appears you will need to use the same auth mechanisms for submission as you do for imap\pop. So
Good enough reason to integrate MSA (Mail Submission Agent) capabilities into the MUA (Mail User Agent).
Suggestion box: This should be able (in the future) to handle "tricks" like archiving sent messages alongside received messages or simply copying sent messages into an IMAP sent folder on the server.
https://doc.dovecot.org/admin_manual/submission_server/ https://doc.dovecot.org/configuration_manual/authentication/
This is all quite new then and under active development.
Sent from my Android device with K-9 Mail. Please excuse my brevity.
participants (8)
-
Alexander Dalloz
-
Antonio Leding
-
Benny Pedersen
-
Dan Conway
-
dovecot@ptld.com
-
John Stoffel
-
justina colmena ~biz
-
Vladislav Kurz