Thanks for the reply, postfix + dovecot sasl configured and working properly. My question is about "adding dovecot authentication when sending emails via submission_host".

Let's say we have dovecot + sieve plugin container. Dovecot configured to use remote SMTP submission host to send messages: submission_host = postfix.example.com:587

User foo@example.com has the following sieve script: require ["fileinto", "copy", "vacation", "date", "relational"] ; redirect :copy "bar@example.com"; keep;

baz@example.com sending email to foo@example.com

dovecot lmtp log: lmtp(foo@example.com)<7670><QTsrNZjdxmP2HQAAaVGrHw>: Info: sieve: msgid=63fce409f26b1a67785a475a00034a05@mail.example.com: redirect action: failed to redirect message to bar@example.com: smtp(postfix.example.com:587): RCPT TO failed: 554 5.7.1 bar@example.com: Recipient address rejected: Access denied (permanent failure) lmtp(foo@example.com)<7670><QTsrNZjdxmP2HQAAaVGrHw>: Info: sieve: msgid=63fce409f26b1a67785a475a00034a05@mail.example.com: stored mail into mailbox 'INBOX' lmtp(foo@example.com)<7670><QTsrNZjdxmP2HQAAaVGrHw>: Info: sieve: Execution of script /var/dovecot/example.com/foo/foo.sieve failed, but implicit keep was successful (user logfile /var/dovecot/example.com/foo/foo.sieve.log may reveal additional details)

sieve.log error: msgid=63fce409f26b1a67785a475a00034a05@mail.example.com: redirect action: failed to redirect message to bar@example.com: smtp(postfix.example.com:587): RCPT TO failed: 554 5.7.1 bar@example.com: Recipient address rejected: Access denied (permanent failure).

postfix log: NOQUEUE: reject: RCPT from unknown[10.0.1.4]: 554 5.7.1 bar@example.com: Recipient address rejected: Access denied; from=baz@example.com to=bar@example.com

redirect :copy action failed, its expected behavior, dovecot do not auth when sending email via submisson_host. If there is setting like submission_host_master_user = master@example.com submission_host_master_password = masterpass to do authentication as master user in postfix who can send email as any user...

От: dovecot dovecot-bounces@dovecot.org от имени dovecot@ptld.com dovecot@ptld.com Отправлено: 17 января 2023 г. 18:25 Кому: dovecot@dovecot.org dovecot@dovecot.org Тема: Re: submission_host auth

When using dovecot container with sieve plugin there is no sendmail to use for sending email for sieve redirect action for example. We can use submission_host instead https://doc.dovecot.org/settings/core/#core_setting-submission_host but there is no way to specify credentials for auth in remote MTA. Submission_relay_* settings e.g. submission_relay_master_user relate to dovecot submission service. Using something like permit_mynetworks in remote MTA is not acceptable for security reasons.

Is it possible to add authorization in the remote MTA using submission_host?

You start the auth service in dovecot, then tell the MTA to use it. For example, if you use postfix this explains how:

https://doc.dovecot.org/configuration_manual/howto/postfix_and_dovecot_sasl/

There is no way for a forwarded email to SASL authenticate because no one is logged in or involved in the process of LMTP receiving mail for delivery from "the world". How is the MTA supposed to know the SASL password for staff@work.com?

dovecot auth with "master user" when sending emails via sumbission_host; postfix:

1. using smtpd_sender_login_maps allow master user send messages with any mail from, like that: smtpd_sender_login_maps = regexp:/etc/postfix/login_map.regexp

login_map.regexp: /^master@example.com$/ .*

OR

2. in postfix master.cf declare dedicatet submission port allowed only for dovecot, without reject_sender_login_mismatch, like that: 2525 inet n - n - - smtpd -o smtpd_helo_restrictions=permit_sasl_authenticated -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions=permit_sasl_authenticated

I think it's better than mynetworks = 10.0.1.0/24 #whole subnet, container ip assigned dynamically :( with smtpd_sender_restrictions = permit_mynetworks smtpd_relay_restrictions = permit_mynetworks

What about SPF in the described scenario, you are right, SPF will be broken. Well.. its implementation feature

От: dovecot dovecot-bounces@dovecot.org от имени dovecot@ptld.com dovecot@ptld.com Отправлено: 17 января 2023 г. 23:18 Кому: dovecot@dovecot.org dovecot@dovecot.org Тема: Re: submission_host auth

Let's say we have dovecot + sieve plugin container. Dovecot configured to use remote SMTP submission host to send messages: submission_host = postfix.example.com:587

I reviewed my config to see how i did it. I think you are right and SASL isn't used here. I have dovecot and postfix on the same machine and in dovecot i set submission_host = localhost:25

Then in my sieve filters i set sieve_redirect_envelope_from = sender

I use SPF, DKIM, and DMARC

To test this i have (fictitious) staff@work.com with a forward filter to personal@home.com I sent an email from customer@random.com to staff@work.com @work.com server then sends a forwarded email to personal@home.com with To:staff@work.com and From:customer@random.com

Checking the @home.com logs i can see that SPF failed because @work.com server sent an email from @random.com, however it had valid DKIM signatures from both @work.com and @random.com so DMARC passed and the email was accepted.

I guess if the @random.com mail server only implemented SPF and not included a DKIM signature and DMARC policy then the @home.com server would have rejected the forwarded email.

I know this might not be the best solution you are looking for, but it is the best i could figure out to allow sieve forwarding. There is no way for a forwarded email to SASL authenticate because no one is logged in or involved in the process of LMTP receiving mail for delivery from "the world". How is the MTA supposed to know the SASL password for staff@work.com?