submission configuration issues

newer
IMAP copy stopped copying flags

older
Help with IMAP IDLE

Jean-Daniel Dupas

23 Jul 2019 23 Jul '19

5:13 p.m.

Hello,

I'm having trouble configuring the submission proxy.

I have configured the submission service as follow:

submission_host = smtp.example.com submission_relay_host = localhost submission_relay_port = 8587 submission_relay_rawlog_dir = /var/log/dovecot/ submission_relay_trusted = yes

My main issue is that until I login, dovecot-submission won't connect to the backend and query the capabilities and so won't report the right capabilities.

That mean that the first EHLO message don't get the right capabilities list.

" EHLO example.com

250-smtp.example.com 250-8BITMIME 250-AUTH PLAIN LOGIN 250-BURL imap 250-CHUNKING 250-ENHANCEDSTATUSCODES 250-SIZE 250 PIPELINING "

This list don't contains VRFY, DNS, and SIZE is not specified (all of these is present in backend EHLO response). After login, if I send an new EHLO command, everything is properly reported. The raw log shows that unlike what the documentation says, dovecot don't try to connect to the backend until the user is properly logged.

In my raw log I show that after I logged in dovecot-submission, the later open a connection to the backend and send a X-CLIENT command.

Now, if I try to force the capabilities by using:

submission_backend_capabilities = VRFY 8BITMIME DSN

dovecot properly reports all SMTP capabilities in the first EHLO response, but it completely stops emitting X-CLIENT command to the backend and try to simply forward the command without authentication, which result in postfix rejecting the command with an unauthorized user error.

What is wrong with my configuration ? Thanks.

Jean-Daniel

Show replies by date

Stephan Bosch

27 Jul 27 Jul

2:30 p.m.

On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:

...

Hello,

I'm having trouble configuring the submission proxy.

I have configured the submission service as follow:

submission_host = smtp.example.com submission_relay_host = localhost submission_relay_port = 8587 submission_relay_rawlog_dir = /var/log/dovecot/ submission_relay_trusted = yes

My main issue is that until I login, dovecot-submission won't connect to the backend and query the capabilities and so won't report the right capabilities.

That mean that the first EHLO message don't get the right capabilities list.

" EHLO example.com

250-smtp.example.com 250-8BITMIME 250-AUTH PLAIN LOGIN 250-BURL imap 250-CHUNKING 250-ENHANCEDSTATUSCODES 250-SIZE 250 PIPELINING "

This list don't contains VRFY, DNS, and SIZE is not specified (all of these is present in backend EHLO response). After login, if I send an new EHLO command, everything is properly reported. The raw log shows that unlike what the documentation says, dovecot don't try to connect to the backend until the user is properly logged.

In my raw log I show that after I logged in dovecot-submission, the later open a connection to the backend and send a X-CLIENT command.

Now, if I try to force the capabilities by using:

submission_backend_capabilities = VRFY 8BITMIME DSN

dovecot properly reports all SMTP capabilities in the first EHLO response, but it completely stops emitting X-CLIENT command to the backend and try to simply forward the command without authentication, which result in postfix rejecting the command with an unauthorized user error.

What is wrong with my configuration ? Thanks.

Can you send us your complete configuration (output from dovecot -n)?

Regards,

Stephan.

Jean-Daniel

10:21 p.m.

...

Le 27 juil. 2019 à 14:30, Stephan Bosch stephan@rename-it.nl a écrit :

On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:

...
Hello,

I'm having trouble configuring the submission proxy.

I have configured the submission service as follow:

submission_host = smtp.example.com submission_relay_host = localhost submission_relay_port = 8587

...

Le 27 juil. 2019 à 14:30, Stephan Bosch stephan@rename-it.nl a écrit :

On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:

...
Hello,

I'm having trouble configuring the submission proxy.

I have configured the submission service as follow:

submission_host = smtp.example.com submission_relay_host = localhost submission_relay_port = 8587 submission_relay_rawlog_dir = /var/log/dovecot/ submission_relay_trusted = yes

My main issue is that until I login, dovecot-submission won't connect to the backend and query the capabilities and so won't report the right capabilities.

That mean that the first EHLO message don't get the right capabilities list.

" EHLO example.com

250-smtp.example.com 250-8BITMIME 250-AUTH PLAIN LOGIN 250-BURL imap 250-CHUNKING 250-ENHANCEDSTATUSCODES 250-SIZE 250 PIPELINING "

This list don't contains VRFY, DNS, and SIZE is not specified (all of these is present in backend EHLO response). After login, if I send an new EHLO command, everything is properly reported. The raw log shows that unlike what the documentation says, dovecot don't try to connect to the backend until the user is properly logged.

In my raw log I show that after I logged in dovecot-submission, the later open a connection to the backend and send a X-CLIENT command.

Now, if I try to force the capabilities by using:

submission_backend_capabilities = VRFY 8BITMIME DSN

dovecot properly reports all SMTP capabilities in the first EHLO response, but it completely stops emitting X-CLIENT command to the backend and try to simply forward the command without authentication, which result in postfix rejecting the command with an unauthorized user error.

What is wrong with my configuration ? Thanks.

Can you send us your complete configuration (output from dovecot -n)?

Yes (see below).

Some additional information:

===============

When I connect directly to dovecot-submission using nc and send an EHLO command, I got the following result (the SIZE is configured in dovecot config, that’s why it is properly announced), but no raw_log are generated at all.

$ nc smtp.example.com 587

220 smtp.example.com Dovecot ready. EHLO mydomain.com 250-smtp.example.com 250-8BITMIME 250-AUTH 250-BURL imap 250-CHUNKING 250-ENHANCEDSTATUSCODES 250-SIZE 41943040 250-STARTTLS 250 PIPELINING QUIT 221 2.0.0 Bye

===============

Ditto if I use openssl s_client -starttls smtp -crlf -connect smtp.example.com:587 and send the EHLO after STARTTLS.

===============

For the record, here is the result of a direct connect to postfix:

$ nc 127.0.0.1 8587 220 smtp.example.com ESMTP Postfix EHLO example.com 250-smtp.example.com 250-PIPELINING 250-SIZE 41943040 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 SMTPUTF8

===============

And here is the content of the row logs when a mail is sent.

======== rawlog.in

1564258521.813430 220 smtp.example.com ESMTP Postfix 1564258521.814206 250-smtp.example.com 1564258521.814206 250-PIPELINING 1564258521.814206 250-SIZE 41943040 1564258521.814206 250-VRFY 1564258521.814206 250-ETRN 1564258521.814206 250-STARTTLS 1564258521.814206 250-AUTH PLAIN LOGIN 1564258521.814206 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT 1564258521.814206 250-ENHANCEDSTATUSCODES 1564258521.814206 250-8BITMIME 1564258521.814206 250-DSN 1564258521.814206 250 SMTPUTF8 1564258521.848159 220 smtp.example.com ESMTP Postfix 1564258521.849506 250-smtp.example.com 1564258521.849506 250-PIPELINING 1564258521.849506 250-SIZE 41943040 1564258521.849506 250-VRFY 1564258521.849506 250-ETRN 1564258521.849506 250-STARTTLS 1564258521.849506 250-AUTH PLAIN LOGIN 1564258521.849506 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT 1564258521.849506 250-ENHANCEDSTATUSCODES 1564258521.849506 250-8BITMIME 1564258521.849506 250-DSN 1564258521.849506 250 SMTPUTF8 1564258521.854093 250 2.1.0 Ok 1564258521.909487 250 2.1.5 Ok 1564258521.983093 354 End data with <CR><LF>.<CR><LF> 1564258522.115312 250 2.0.0 Ok: queued as DDBCCD53B

======== rawlog.out

1564258521.813739 EHLO smtp.example.com 1564258521.846054 XCLIENT HELO=[10.188.153.106] PROTO=ESMTP LOGIN=info PORT=47564 ADDR=46.193.33.66 1564258521.848701 EHLO smtp.example.com 1564258521.850122 MAIL FROM:service@example.com AUTH=info 1564258521.889896 RCPT TO:jddupas@xooloo.com 1564258521.981094 DATA 1564258521.983757 Received: from [10.188.153.106] ([46.193.33.66]) 1564258521.983757 by smtp.example.com with ESMTPSA 1564258521.983757 id cSDvMtmwPF14TAAABU9jsA 1564258521.983757 (envelope-from service@example.com) 1564258521.983757 for jddupas@xooloo.com; Sat, 27 Jul 2019 22:15:21 +0200 1564258521.984065 From: Jean-Daniel Dupas service@example.com 1564258521.984065 Content-Type: text/plain 1564258521.984065 Content-Transfer-Encoding: 7bit 1564258521.984065 Mime-Version: 1.0 (Mac OS X Mail 12.4 $3445.104.11$) 1564258521.984065 Subject: Send test 1564258521.984065 Message-Id: 827EAD17-6C27-4BDF-AD94-F106E37745C1@example.com 1564258521.984065 Date: Sat, 27 Jul 2019 22:15:19 +0200 1564258521.984065 To: Jean-Daniel Dupas jddupas@xooloo.com 1564258521.984065 X-Mailer: Apple Mail (2.3445.104.11) 1564258521.984065 1564258521.984280 . 1564258543.105429 QUIT

================== doveconf -n

# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.7.1 (db5c74be) # OS: Linux 4.15.0-55-generic x86_64 Ubuntu 18.04.2 LTS # Hostname: example.com auth_mechanisms = plain login auth_verbose = yes hostname = smtp.example.com imap_hibernate_timeout = 1 mins mail_attribute_dict = file:%h/metadata mail_gid = vmail mail_location = mdbox:~/mail mail_plugins = fts fts_xapian mail_server_admin = mailto:sysadmin@example.com mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve namespace inbox { inbox = yes location = mailbox Archive { auto = subscribe special_use = \Archive } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { fts = xapian fts_autoindex = yes fts_autoindex_exclude = \Junk fts_autoindex_exclude2 = \Trash fts_enforced = yes fts_languages = fr en fts_xapian = partial=2 full=20 imapsieve_mailbox1_before = file:/var/lib/vmail/imapsieve/learn-spam.sieve imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Junk imapsieve_mailbox2_before = file:/var/lib/vmail/imapsieve/learn-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Junk imapsieve_mailbox2_name = * imapsieve_mailbox3_before = file:/var/lib/vmail/imapsieve/unflag.sieve imapsieve_mailbox3_causes = COPY imapsieve_mailbox3_name = Trash plugin = fts fts_xapian sieve = file:~/sieve;active=~/.dovecot.sieve sieve_after = /var/lib/vmail/sieve-after sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment sieve_pipe_bin_dir = /var/lib/vmail/sieve-pipe sieve_plugins = sieve_imapsieve sieve_extprograms } postmaster_address = protocols = " imap lmtp sieve submission" recipient_delimiter = - service auth-worker { user = $default_internal_user } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0600 user = postfix } } service doveadm { vsz_limit = 1 G } service imap-hibernate { unix_listener imap-hibernate { group = vmail mode = 0660 } user = vmail } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } process_min_avail = 2 } service imap { unix_listener imap-master { user = vmail } } service indexer-worker { vsz_limit = 1 G } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { address = localhost } } service submission-login { inet_listener submissions { haproxy = no port = 465 reuse_port = no ssl = yes } } ssl_alt_cert =

...

...
submission_relay_rawlog_dir = /var/log/dovecot/ submission_relay_trusted = yes

My main issue is that until I login, dovecot-submission won't connect to the backend and query the capabilities and so won't report the right capabilities.

That mean that the first EHLO message don't get the right capabilities list.

" EHLO example.com

250-smtp.example.com 250-8BITMIME 250-AUTH PLAIN LOGIN 250-BURL imap 250-CHUNKING 250-ENHANCEDSTATUSCODES 250-SIZE 250 PIPELINING "

This list don't contains VRFY, DNS, and SIZE is not specified (all of these is present in backend EHLO response). After login, if I send an new EHLO command, everything is properly reported. The raw log shows that unlike what the documentation says, dovecot don't try to connect to the backend until the user is properly logged.

In my raw log I show that after I logged in dovecot-submission, the later open a connection to the backend and send a X-CLIENT command.

Now, if I try to force the capabilities by using:

submission_backend_capabilities = VRFY 8BITMIME DSN

dovecot properly reports all SMTP capabilities in the first EHLO response, but it completely stops emitting X-CLIENT command to the backend and try to simply forward the command without authentication, which result in postfix rejecting the command with an unauthorized user error.

What is wrong with my configuration ? Thanks.

Can you send us your complete configuration (output from dovecot -n)?

Regards,

Stephan.

Bob Gustafson

10:39 p.m.

service submission-login { inet_listener submissions { haproxy = no port = 465 reuse_port = no ssl = yes } }

Shouldn't the port be 587 here?

My config file looks like:

service submission-login { inet_listener submission { #port = 587 } }

The # comment must also mean something..

On 7/27/19 3:21 PM, Jean-Daniel via dovecot wrote:

...

...
Le 27 juil. 2019 à 14:30, Stephan Bosch mailto:stephan@rename-it.nl> a écrit :

On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:

...
Hello,

I'm having trouble configuring the submission proxy.

I have configured the submission service as follow:

submission_host = smtp.example.com http://smtp.example.com submission_relay_host = localhost submission_relay_port = 8587

...
Le 27 juil. 2019 à 14:30, Stephan Bosch mailto:stephan@rename-it.nl> a écrit :

On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:

...
Hello,

I'm having trouble configuring the submission proxy.

I have configured the submission service as follow:

submission_host = smtp.example.com http://smtp.example.com submission_relay_host = localhost submission_relay_port = 8587 submission_relay_rawlog_dir = /var/log/dovecot/ submission_relay_trusted = yes

My main issue is that until I login, dovecot-submission won't connect to the backend and query the capabilities and so won't report the right capabilities.

That mean that the first EHLO message don't get the right capabilities list.

" EHLO example.com http://example.com

250-smtp.example.com http://250-smtp.example.com 250-8BITMIME 250-AUTH PLAIN LOGIN 250-BURL imap 250-CHUNKING 250-ENHANCEDSTATUSCODES 250-SIZE 250 PIPELINING "

This list don't contains VRFY, DNS, and SIZE is not specified (all of these is present in backend EHLO response). After login, if I send an new EHLO command, everything is properly reported. The raw log shows that unlike what the documentation says, dovecot don't try to connect to the backend until the user is properly logged.

In my raw log I show that after I logged in dovecot-submission, the later open a connection to the backend and send a X-CLIENT command.

Now, if I try to force the capabilities by using:

submission_backend_capabilities = VRFY 8BITMIME DSN

dovecot properly reports all SMTP capabilities in the first EHLO response, but it completely stops emitting X-CLIENT command to the backend and try to simply forward the command without authentication, which result in postfix rejecting the command with an unauthorized user error.

What is wrong with my configuration ? Thanks.

Can you send us your complete configuration (output from dovecot -n)?

Yes (see below).

Some additional information:

===============

When I connect directly to dovecot-submission using nc and send an EHLO command, I got the following result (the SIZE is configured in dovecot config, that’s why it is properly announced), but no raw_log are generated at all.

$ nc smtp.example.com http://smtp.example.com 587

220 smtp.example.com http://smtp.example.com Dovecot ready. EHLO mydomain.com http://mydomain.com 250-smtp.example.com http://250-smtp.example.com 250-8BITMIME 250-AUTH 250-BURL imap 250-CHUNKING 250-ENHANCEDSTATUSCODES 250-SIZE 41943040 250-STARTTLS 250 PIPELINING QUIT 221 2.0.0 Bye

===============

Ditto if I use openssl s_client -starttls smtp -crlf -connect smtp.example.com:587 http://smtp.example.com:587 and send the EHLO after STARTTLS.

===============

For the record, here is the result of a direct connect to postfix:

$ nc 127.0.0.1 8587 220 smtp.example.com http://smtp.example.com ESMTP Postfix EHLO example.com http://example.com 250-smtp.example.com http://250-smtp.example.com 250-PIPELINING 250-SIZE 41943040 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 SMTPUTF8

===============

And here is the content of the row logs when a mail is sent.

======== rawlog.in http://rawlog.in

1564258521.813430 220 smtp.example.com http://smtp.example.com ESMTP Postfix 1564258521.814206 250-smtp.example.com http://250-smtp.example.com 1564258521.814206 250-PIPELINING 1564258521.814206 250-SIZE 41943040 1564258521.814206 250-VRFY 1564258521.814206 250-ETRN 1564258521.814206 250-STARTTLS 1564258521.814206 250-AUTH PLAIN LOGIN 1564258521.814206 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT 1564258521.814206 250-ENHANCEDSTATUSCODES 1564258521.814206 250-8BITMIME 1564258521.814206 250-DSN 1564258521.814206 250 SMTPUTF8 1564258521.848159 220 smtp.example.com http://smtp.example.com ESMTP Postfix 1564258521.849506 250-smtp.example.com http://250-smtp.example.com 1564258521.849506 250-PIPELINING 1564258521.849506 250-SIZE 41943040 1564258521.849506 250-VRFY 1564258521.849506 250-ETRN 1564258521.849506 250-STARTTLS 1564258521.849506 250-AUTH PLAIN LOGIN 1564258521.849506 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT 1564258521.849506 250-ENHANCEDSTATUSCODES 1564258521.849506 250-8BITMIME 1564258521.849506 250-DSN 1564258521.849506 250 SMTPUTF8 1564258521.854093 250 2.1.0 Ok 1564258521.909487 250 2.1.5 Ok 1564258521.983093 354 End data with <CR><LF>.<CR><LF> 1564258522.115312 250 2.0.0 Ok: queued as DDBCCD53B

======== rawlog.out

1564258521.813739 EHLO smtp.example.com http://smtp.example.com 1564258521.846054 XCLIENT HELO=[10.188.153.106] PROTO=ESMTP LOGIN=info PORT=47564 ADDR=46.193.33.66 1564258521.848701 EHLO smtp.example.com http://smtp.example.com 1564258521.850122 MAIL FROM:mailto:service@example.com> AUTH=info 1564258521.889896 RCPT TO:mailto:jddupas@xooloo.com> 1564258521.981094 DATA 1564258521.983757 Received: from [10.188.153.106] ([46.193.33.66]) 1564258521.983757 by smtp.example.com http://smtp.example.com with ESMTPSA 1564258521.983757 id cSDvMtmwPF14TAAABU9jsA 1564258521.983757 (envelope-from mailto:service@example.com>) 1564258521.983757 for mailto:jddupas@xooloo.com>; Sat, 27 Jul 2019 22:15:21 +0200 1564258521.984065 From: Jean-Daniel Dupas mailto:service@example.com> 1564258521.984065 Content-Type: text/plain 1564258521.984065 Content-Transfer-Encoding: 7bit 1564258521.984065 Mime-Version: 1.0 (Mac OS X Mail 12.4 $3445.104.11$) 1564258521.984065 Subject: Send test 1564258521.984065 Message-Id: <827EAD17-6C27-4BDF-AD94-F106E37745C1@example.com mailto:827EAD17-6C27-4BDF-AD94-F106E37745C1@example.com> 1564258521.984065 Date: Sat, 27 Jul 2019 22:15:19 +0200 1564258521.984065 To: Jean-Daniel Dupas mailto:jddupas@xooloo.com> 1564258521.984065 X-Mailer: Apple Mail (2.3445.104.11) 1564258521.984065 1564258521.984280 . 1564258543.105429 QUIT

================== doveconf -n

# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.7.1 (db5c74be) # OS: Linux 4.15.0-55-generic x86_64 Ubuntu 18.04.2 LTS # Hostname: example.com http://example.com auth_mechanisms = plain login auth_verbose = yes hostname = smtp.example.com http://smtp.example.com imap_hibernate_timeout = 1 mins mail_attribute_dict = file:%h/metadata mail_gid = vmail mail_location = mdbox:~/mail mail_plugins = fts fts_xapian mail_server_admin = mailto:sysadmin@example.com mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve namespace inbox { inbox = yes location = mailbox Archive { auto = subscribe special_use = \Archive } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { fts = xapian fts_autoindex = yes fts_autoindex_exclude = \Junk fts_autoindex_exclude2 = \Trash fts_enforced = yes fts_languages = fr en fts_xapian = partial=2 full=20 imapsieve_mailbox1_before = file:/var/lib/vmail/imapsieve/learn-spam.sieve imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Junk imapsieve_mailbox2_before = file:/var/lib/vmail/imapsieve/learn-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Junk imapsieve_mailbox2_name = * imapsieve_mailbox3_before = file:/var/lib/vmail/imapsieve/unflag.sieve imapsieve_mailbox3_causes = COPY imapsieve_mailbox3_name = Trash plugin = fts fts_xapian sieve = file:~/sieve;active=~/.dovecot.sieve sieve_after = /var/lib/vmail/sieve-after sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment sieve_pipe_bin_dir = /var/lib/vmail/sieve-pipe sieve_plugins = sieve_imapsieve sieve_extprograms } postmaster_address = protocols = " imap lmtp sieve submission" recipient_delimiter = - service auth-worker { user = $default_internal_user } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0600 user = postfix } } service doveadm { vsz_limit = 1 G } service imap-hibernate { unix_listener imap-hibernate { group = vmail mode = 0660 } user = vmail } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } process_min_avail = 2 } service imap { unix_listener imap-master { user = vmail } } service indexer-worker { vsz_limit = 1 G } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { address = localhost } } service submission-login { inet_listener submissions { haproxy = no port = 465 reuse_port = no ssl = yes } } ssl_alt_cert = http://imap.example.com/rsa/cert.pem ssl_alt_key = # hidden, use -P to show it ssl_cert = http://imap.example.com/ecdsa/cert.pem ssl_cipher_list = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.1 ssl_prefer_server_ciphers = yes submission_host = smtp.example.com http://smtp.example.com submission_max_mail_size = 40 M submission_relay_host = localhost submission_relay_port = 8587 submission_relay_trusted = yes userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocol lmtp { mail_plugins = fts fts_xapian sieve } protocol imap { imap_metadata = yes mail_max_userip_connections = 25 mail_plugins = fts fts_xapian imap_zlib imap_sieve namespace inbox { location = mailbox Junk { autoexpunge = 30 days } mailbox Trash { autoexpunge = 30 days } prefix = } }

...
...
submission_relay_rawlog_dir = /var/log/dovecot/ submission_relay_trusted = yes

My main issue is that until I login, dovecot-submission won't connect to the backend and query the capabilities and so won't report the right capabilities.

That mean that the first EHLO message don't get the right capabilities list.

" EHLO example.com http://example.com

250-smtp.example.com http://250-smtp.example.com 250-8BITMIME 250-AUTH PLAIN LOGIN 250-BURL imap 250-CHUNKING 250-ENHANCEDSTATUSCODES 250-SIZE 250 PIPELINING "

This list don't contains VRFY, DNS, and SIZE is not specified (all of these is present in backend EHLO response). After login, if I send an new EHLO command, everything is properly reported. The raw log shows that unlike what the documentation says, dovecot don't try to connect to the backend until the user is properly logged.

In my raw log I show that after I logged in dovecot-submission, the later open a connection to the backend and send a X-CLIENT command.

Now, if I try to force the capabilities by using:

submission_backend_capabilities = VRFY 8BITMIME DSN

dovecot properly reports all SMTP capabilities in the first EHLO response, but it completely stops emitting X-CLIENT command to the backend and try to simply forward the command without authentication, which result in postfix rejecting the command with an unauthorized user error.

What is wrong with my configuration ? Thanks.

Can you send us your complete configuration (output from dovecot -n)?

Regards,

Stephan.

Jean-Daniel

28 Jul 28 Jul

7:56 p.m.

My configuration has 2 listeners. The default one (submission) on port 587 (which does not appear on "dovecot -n » output as it is the default)

And a second one on port 465 that is configured to use submission over TLS (note the ssl = yes in the configuration and the ’s’ at the end of the name: submissions )

According to RFC8314 (https://tools.ietf.org/html/rfc8314), this is now the recommended setting:

« In brief, this memo now recommends that:

…

o Connections to Mail Submission Servers and Mail Access Servers be made using "Implicit TLS" (as defined below), in preference to connecting to the "cleartext" port and negotiating TLS using the STARTTLS command or a similar command.

...

Le 27 juil. 2019 à 22:39, Bob Gustafson via dovecot dovecot@dovecot.org a écrit :

service submission-login { inet_listener submissions { haproxy = no port = 465 reuse_port = no ssl = yes } }

Shouldn't the port be 587 here?

My config file looks like:

service submission-login { inet_listener submission { #port = 587 } }

The # comment must also mean something..

On 7/27/19 3:21 PM, Jean-Daniel via dovecot wrote:

...
...
Le 27 juil. 2019 à 14:30, Stephan Bosch stephan@rename-it.nl a écrit :

On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:

...
Hello,

I'm having trouble configuring the submission proxy.

I have configured the submission service as follow:

submission_host = smtp.example.com submission_relay_host = localhost submission_relay_port = 8587

...
Le 27 juil. 2019 à 14:30, Stephan Bosch stephan@rename-it.nl a écrit :

On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:

...
Hello,

I'm having trouble configuring the submission proxy.

I have configured the submission service as follow:

submission_host = smtp.example.com submission_relay_host = localhost submission_relay_port = 8587 submission_relay_rawlog_dir = /var/log/dovecot/ submission_relay_trusted = yes

My main issue is that until I login, dovecot-submission won't connect to the backend and query the capabilities and so won't report the right capabilities.

That mean that the first EHLO message don't get the right capabilities list.

" EHLO example.com

250-smtp.example.com 250-8BITMIME 250-AUTH PLAIN LOGIN 250-BURL imap 250-CHUNKING 250-ENHANCEDSTATUSCODES 250-SIZE 250 PIPELINING "

This list don't contains VRFY, DNS, and SIZE is not specified (all of these is present in backend EHLO response). After login, if I send an new EHLO command, everything is properly reported. The raw log shows that unlike what the documentation says, dovecot don't try to connect to the backend until the user is properly logged.

In my raw log I show that after I logged in dovecot-submission, the later open a connection to the backend and send a X-CLIENT command.

Now, if I try to force the capabilities by using:

submission_backend_capabilities = VRFY 8BITMIME DSN

dovecot properly reports all SMTP capabilities in the first EHLO response, but it completely stops emitting X-CLIENT command to the backend and try to simply forward the command without authentication, which result in postfix rejecting the command with an unauthorized user error.

What is wrong with my configuration ? Thanks.

Can you send us your complete configuration (output from dovecot -n)?

Yes (see below).

Some additional information:

===============

When I connect directly to dovecot-submission using nc and send an EHLO command, I got the following result (the SIZE is configured in dovecot config, that’s why it is properly announced), but no raw_log are generated at all.

$ nc smtp.example.com 587

220 smtp.example.com Dovecot ready. EHLO mydomain.com 250-smtp.example.com 250-8BITMIME 250-AUTH 250-BURL imap 250-CHUNKING 250-ENHANCEDSTATUSCODES 250-SIZE 41943040 250-STARTTLS 250 PIPELINING QUIT 221 2.0.0 Bye

===============

Ditto if I use openssl s_client -starttls smtp -crlf -connect smtp.example.com:587 and send the EHLO after STARTTLS.

===============

For the record, here is the result of a direct connect to postfix:

$ nc 127.0.0.1 8587 220 smtp.example.com ESMTP Postfix EHLO example.com 250-smtp.example.com 250-PIPELINING 250-SIZE 41943040 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 SMTPUTF8

===============

And here is the content of the row logs when a mail is sent.

======== rawlog.in

1564258521.813430 220 smtp.example.com ESMTP Postfix 1564258521.814206 250-smtp.example.com 1564258521.814206 250-PIPELINING 1564258521.814206 250-SIZE 41943040 1564258521.814206 250-VRFY 1564258521.814206 250-ETRN 1564258521.814206 250-STARTTLS 1564258521.814206 250-AUTH PLAIN LOGIN 1564258521.814206 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT 1564258521.814206 250-ENHANCEDSTATUSCODES 1564258521.814206 250-8BITMIME 1564258521.814206 250-DSN 1564258521.814206 250 SMTPUTF8 1564258521.848159 220 smtp.example.com ESMTP Postfix 1564258521.849506 250-smtp.example.com 1564258521.849506 250-PIPELINING 1564258521.849506 250-SIZE 41943040 1564258521.849506 250-VRFY 1564258521.849506 250-ETRN 1564258521.849506 250-STARTTLS 1564258521.849506 250-AUTH PLAIN LOGIN 1564258521.849506 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT 1564258521.849506 250-ENHANCEDSTATUSCODES 1564258521.849506 250-8BITMIME 1564258521.849506 250-DSN 1564258521.849506 250 SMTPUTF8 1564258521.854093 250 2.1.0 Ok 1564258521.909487 250 2.1.5 Ok 1564258521.983093 354 End data with <CR><LF>.<CR><LF> 1564258522.115312 250 2.0.0 Ok: queued as DDBCCD53B

======== rawlog.out

1564258521.813739 EHLO smtp.example.com 1564258521.846054 XCLIENT HELO=[10.188.153.106] PROTO=ESMTP LOGIN=info PORT=47564 ADDR=46.193.33.66 1564258521.848701 EHLO smtp.example.com 1564258521.850122 MAIL FROM:service@example.com AUTH=info 1564258521.889896 RCPT TO:jddupas@xooloo.com 1564258521.981094 DATA 1564258521.983757 Received: from [10.188.153.106] ([46.193.33.66]) 1564258521.983757 by smtp.example.com with ESMTPSA 1564258521.983757 id cSDvMtmwPF14TAAABU9jsA 1564258521.983757 (envelope-from service@example.com) 1564258521.983757 for jddupas@xooloo.com; Sat, 27 Jul 2019 22:15:21 +0200 1564258521.984065 From: Jean-Daniel Dupas service@example.com 1564258521.984065 Content-Type: text/plain 1564258521.984065 Content-Transfer-Encoding: 7bit 1564258521.984065 Mime-Version: 1.0 (Mac OS X Mail 12.4 $3445.104.11$) 1564258521.984065 Subject: Send test 1564258521.984065 Message-Id: 827EAD17-6C27-4BDF-AD94-F106E37745C1@example.com 1564258521.984065 Date: Sat, 27 Jul 2019 22:15:19 +0200 1564258521.984065 To: Jean-Daniel Dupas jddupas@xooloo.com 1564258521.984065 X-Mailer: Apple Mail (2.3445.104.11) 1564258521.984065 1564258521.984280 . 1564258543.105429 QUIT

================== doveconf -n

# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.7.1 (db5c74be) # OS: Linux 4.15.0-55-generic x86_64 Ubuntu 18.04.2 LTS # Hostname: example.com auth_mechanisms = plain login auth_verbose = yes hostname = smtp.example.com imap_hibernate_timeout = 1 mins mail_attribute_dict = file:%h/metadata mail_gid = vmail mail_location = mdbox:~/mail mail_plugins = fts fts_xapian mail_server_admin = mailto:sysadmin@example.com mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve namespace inbox { inbox = yes location = mailbox Archive { auto = subscribe special_use = \Archive } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { fts = xapian fts_autoindex = yes fts_autoindex_exclude = \Junk fts_autoindex_exclude2 = \Trash fts_enforced = yes fts_languages = fr en fts_xapian = partial=2 full=20 imapsieve_mailbox1_before = file:/var/lib/vmail/imapsieve/learn-spam.sieve imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Junk imapsieve_mailbox2_before = file:/var/lib/vmail/imapsieve/learn-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Junk imapsieve_mailbox2_name = * imapsieve_mailbox3_before = file:/var/lib/vmail/imapsieve/unflag.sieve imapsieve_mailbox3_causes = COPY imapsieve_mailbox3_name = Trash plugin = fts fts_xapian sieve = file:~/sieve;active=~/.dovecot.sieve sieve_after = /var/lib/vmail/sieve-after sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment sieve_pipe_bin_dir = /var/lib/vmail/sieve-pipe sieve_plugins = sieve_imapsieve sieve_extprograms } postmaster_address = protocols = " imap lmtp sieve submission" recipient_delimiter = - service auth-worker { user = $default_internal_user } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0600 user = postfix } } service doveadm { vsz_limit = 1 G } service imap-hibernate { unix_listener imap-hibernate { group = vmail mode = 0660 } user = vmail } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } process_min_avail = 2 } service imap { unix_listener imap-master { user = vmail } } service indexer-worker { vsz_limit = 1 G } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { address = localhost } } service submission-login { inet_listener submissions { haproxy = no port = 465 reuse_port = no ssl = yes } } ssl_alt_cert =
...
...
submission_relay_rawlog_dir = /var/log/dovecot/ submission_relay_trusted = yes

My main issue is that until I login, dovecot-submission won't connect to the backend and query the capabilities and so won't report the right capabilities.

That mean that the first EHLO message don't get the right capabilities list.

" EHLO example.com

250-smtp.example.com 250-8BITMIME 250-AUTH PLAIN LOGIN 250-BURL imap 250-CHUNKING 250-ENHANCEDSTATUSCODES 250-SIZE 250 PIPELINING "

This list don't contains VRFY, DNS, and SIZE is not specified (all of these is present in backend EHLO response). After login, if I send an new EHLO command, everything is properly reported. The raw log shows that unlike what the documentation says, dovecot don't try to connect to the backend until the user is properly logged.

In my raw log I show that after I logged in dovecot-submission, the later open a connection to the backend and send a X-CLIENT command.

Now, if I try to force the capabilities by using:

submission_backend_capabilities = VRFY 8BITMIME DSN

dovecot properly reports all SMTP capabilities in the first EHLO response, but it completely stops emitting X-CLIENT command to the backend and try to simply forward the command without authentication, which result in postfix rejecting the command with an unauthorized user error.

What is wrong with my configuration ? Thanks.

Can you send us your complete configuration (output from dovecot -n)?

Regards,

Stephan.

Stephan Bosch

27 Jul 27 Jul

11:13 p.m.

On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:

...

Hello,

I'm having trouble configuring the submission proxy.

I have configured the submission service as follow:

submission_host = smtp.example.com submission_relay_host = localhost submission_relay_port = 8587 submission_relay_rawlog_dir = /var/log/dovecot/ submission_relay_trusted = yes

My main issue is that until I login, dovecot-submission won't connect to the backend and query the capabilities and so won't report the right capabilities.

That is true and expected. No connection to the relay server is made until the user is logged in.

...

That mean that the first EHLO message don't get the right capabilities list.

" EHLO example.com

250-smtp.example.com 250-8BITMIME 250-AUTH PLAIN LOGIN 250-BURL imap 250-CHUNKING 250-ENHANCEDSTATUSCODES 250-SIZE 250 PIPELINING "

This list don't contains VRFY, DNS, and SIZE is not specified (all of these is present in backend EHLO response). After login, if I send an new EHLO command, everything is properly reported. The raw log shows that unlike what the documentation says, dovecot don't try to connect to the backend until the user is properly logged. Oh, then we need to adjust the documentation. This is normal behavior.

...

In my raw log I show that after I logged in dovecot-submission, the later open a connection to the backend and send a X-CLIENT command.

Now, if I try to force the capabilities by using:

submission_backend_capabilities = VRFY 8BITMIME DSN

dovecot properly reports all SMTP capabilities in the first EHLO response, but it completely stops emitting X-CLIENT command to the backend and try to simply forward the command without authentication, which result in postfix rejecting the command with an unauthorized user error.

Yes, that is a bug. I have reproduced it here. We will look into it.

Regards,

Stephan.

Jean-Daniel

11:17 p.m.

...

Le 27 juil. 2019 à 23:13, Stephan Bosch stephan@rename-it.nl a écrit :

On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:

...
Hello,

I'm having trouble configuring the submission proxy.

I have configured the submission service as follow:

submission_host = smtp.example.com submission_relay_host = localhost submission_relay_port = 8587 submission_relay_rawlog_dir = /var/log/dovecot/ submission_relay_trusted = yes

My main issue is that until I login, dovecot-submission won't connect to the backend and query the capabilities and so won't report the right capabilities.

That is true and expected. No connection to the relay server is made until the user is logged in.

...
That mean that the first EHLO message don't get the right capabilities list.

" EHLO example.com

250-smtp.example.com 250-8BITMIME 250-AUTH PLAIN LOGIN 250-BURL imap 250-CHUNKING 250-ENHANCEDSTATUSCODES 250-SIZE 250 PIPELINING "

This list don't contains VRFY, DNS, and SIZE is not specified (all of these is present in backend EHLO response). After login, if I send an new EHLO command, everything is properly reported. The raw log shows that unlike what the documentation says, dovecot don't try to connect to the backend until the user is properly logged. Oh, then we need to adjust the documentation. This is normal behavior.

This is in the default 20-submission.conf file:

# By default, the submission service first connects to the relay server to # determine the support for such capabilities before sending the initial EHLO # reply to the client. If the list of capabilities returned by the relay server # is somehow unreliable or it is undesirable to start the connection to the # relay server before the first mail transaction is started, the backend # capabilities can be configured explicitly using the # submission_backend_capabilities setting. … #submission_backend_capabilities =

Stephan Bosch

28 Jul 28 Jul

11:50 p.m.

On 27/07/2019 23:13, Stephan Bosch via dovecot wrote:

...

On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:

...
Hello,

I'm having trouble configuring the submission proxy.

I have configured the submission service as follow:

submission_host = smtp.example.com submission_relay_host = localhost submission_relay_port = 8587 submission_relay_rawlog_dir = /var/log/dovecot/ submission_relay_trusted = yes

My main issue is that until I login, dovecot-submission won't connect to the backend and query the capabilities and so won't report the right capabilities.

That is true and expected. No connection to the relay server is made until the user is logged in.

...
That mean that the first EHLO message don't get the right capabilities list.

" EHLO example.com

250-smtp.example.com 250-8BITMIME 250-AUTH PLAIN LOGIN 250-BURL imap 250-CHUNKING 250-ENHANCEDSTATUSCODES 250-SIZE 250 PIPELINING "

This list don't contains VRFY, DNS, and SIZE is not specified (all of these is present in backend EHLO response). After login, if I send an new EHLO command, everything is properly reported. The raw log shows that unlike what the documentation says, dovecot don't try to connect to the backend until the user is properly logged. Oh, then we need to adjust the documentation. This is normal behavior.

...
In my raw log I show that after I logged in dovecot-submission, the later open a connection to the backend and send a X-CLIENT command.

Now, if I try to force the capabilities by using:

submission_backend_capabilities = VRFY 8BITMIME DSN

dovecot properly reports all SMTP capabilities in the first EHLO response, but it completely stops emitting X-CLIENT command to the backend and try to simply forward the command without authentication, which result in postfix rejecting the command with an unauthorized user error.

Yes, that is a bug. I have reproduced it here. We will look into it.

Tracking this bug as DOP-1323.

Regards,

Stephan.

1943

Age (days ago)

1948

Last active (days ago)

List overview

7 comments

4 participants

participants (4)

Bob Gustafson
Jean-Daniel
Jean-Daniel Dupas
Stephan Bosch

submission configuration issues

tags

participants (4)