auth between postfix and dovecot?
hello experts,
I have installed postfix and dovecot in the same machine.
Their configure looks as:
service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { mode = 0600 user = postfix group = postfix }
unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix }
auth_mechanisms = plain login
!include auth-passwdfile.conf.ext
my question is:
when postfix talks to dovecot, does it require user's username/password for authentication? or this communication just goes without authentication?
I asked this, b/c my webmail send mail from localhost has been going without authentication to postifx. so i am not sure if postfix talks to dovecot without requiring auth too.
Thanks alice
On 4/22/2022 10:35 PM, ミユナ (alice) wrote:
my question is:
when postfix talks to dovecot, does it require user's username/password for authentication? or this communication just goes without authentication?
I asked this, b/c my webmail send mail from localhost has been going without authentication to postifx. so i am not sure if postfix talks to dovecot without requiring auth too.
My setup is virtual users in a postfixadmin database. Dovecot does all authentication, even with posfix. I believe the config snippets I have included below are the relevant things that make it possible for postfix to talk to dovecot for mail delivery and authentication.
Mail sent from localhost on port 25 does not require authentication on my system, because 127.0.0.0/8 is in postfix's mynetworks config and port 25's access restrictions include permit_mynetworks. Anything sent via submission (port 587) does require auth, even from trusted networks. If you can configure your webmail to use submission instead of smtp, maybe that can be authenticated. You'll need to consult support resources for your webmail to see if that is possible. I can say for sure that roundcube can do it ... I have roundcube configured to talk to port 587, which as mentioned, ALWAYS requires authentication.
When postfix sends mail to dovecot for delivery, I'm pretty sure that happens without authentication. It's LMTP via unix socket, not something an outside client can access directly.
# In 10-master.conf service lmtp { unix_listener lmtp { #mode = 0666 } }
service auth { unix_listener auth-userdb { mode = 0666 user = vmail group = mail }
unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } }
# In 10-auth.conf disable_plaintext_auth = yes auth_mechanisms = plain !include auth-sql.conf.ext
# In postfix master.cf dovecot unix - n n - - pipe flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/dovecot-lda -d $(recipient)
# In postfix main.cf # Use Dovecot to authenticate. smtpd_sasl_type = dovecot # Referring to /var/spool/postfix/private/auth smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes #broken_sasl_auth_clients = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = smtpd_sasl_authenticated_header = yes
# Tell postfix to hand off mail to the definition for dovecot in master.cf virtual_transport = dovecot dovecot_destination_recipient_limit = 1
Am 23.04.2022 um 16:08 schrieb Shawn Heisey:
On 4/22/2022 10:35 PM, ミユナ (alice) wrote:
my question is:
when postfix talks to dovecot, does it require user's username/password for authentication? or this communication just goes without authentication?
[ ... ]
When postfix sends mail to dovecot for delivery, I'm pretty sure that happens without authentication. It's LMTP via unix socket, not something an outside client can access directly.
# In 10-master.conf service lmtp { unix_listener lmtp { #mode = 0666 } }
[ ... ]
# Tell postfix to hand off mail to the definition for dovecot in master.cf virtual_transport = dovecot dovecot_destination_recipient_limit = 1
With this Postfix configuration you do not make use of LMTP delivery.
Alexander
On 4/23/2022 9:07 AM, Alexander Dalloz wrote:
With this Postfix configuration you do not make use of LMTP delivery.
Interesting. I thought it was using LMTP but it looks like master.cf has it running /usr/lib/dovecot/dovecot-lda to deliver. Would LMTP be a better option? It has always worked, so I didn't look at it very closely.
I thought I had something in the postfix/dovecot combination using LMTP, but it looks like I was wrong about that. The communication between postfix and mailman3 running in docker containers (which is a very recent addition) uses LMTP.
Thanks, Shawn
Shawn Heisey wrote:
Interesting. I thought it was using LMTP but it looks like master.cf has it running /usr/lib/dovecot/dovecot-lda to deliver. Would LMTP be a better option? It has always worked, so I didn't look at it very closely.
I see some docs saying dovecot uses LDA for delivery by default. LDA has worse performance than LMTP. though I am not sure about this.
thanks.
Shawn Heisey wrote:
My setup is virtual users in a postfixadmin database. Dovecot does all authentication, even with posfix. I believe the config snippets I have included below are the relevant things that make it possible for postfix to talk to dovecot for mail delivery and authentication.
Mail sent from localhost on port 25 does not require authentication on my system, because 127.0.0.0/8 is in postfix's mynetworks config and port 25's access restrictions include permit_mynetworks. Anything sent via submission (port 587) does require auth, even from trusted networks. If you can configure your webmail to use submission instead of smtp, maybe that can be authenticated. You'll need to consult support resources for your webmail to see if that is possible. I can say for sure that roundcube can do it ... I have roundcube configured to talk to port 587, which as mentioned, ALWAYS requires authentication.
When postfix sends mail to dovecot for delivery, I'm pretty sure that happens without authentication. It's LMTP via unix socket, not something an outside client can access directly.
Thank you. that's good suggestion.
regards.
On Sun, 24 Apr 2022 09:06:11 +0800, ミユナ (alice) stated:
Shawn Heisey wrote:
My setup is virtual users in a postfixadmin database. Dovecot does all authentication, even with posfix. I believe the config snippets I have included below are the relevant things that make it possible for postfix to talk to dovecot for mail delivery and authentication.
Mail sent from localhost on port 25 does not require authentication on my system, because 127.0.0.0/8 is in postfix's mynetworks config and port 25's access restrictions include permit_mynetworks. Anything sent via submission (port 587) does require auth, even from trusted networks. If you can configure your webmail to use submission instead of smtp, maybe that can be authenticated. You'll need to consult support resources for your webmail to see if that is possible. I can say for sure that roundcube can do it ... I have roundcube configured to talk to port 587, which as mentioned, ALWAYS requires authentication.
When postfix sends mail to dovecot for delivery, I'm pretty sure that happens without authentication. It's LMTP via unix socket, not something an outside client can access directly.
Thank you. that's good suggestion.
regards.
These URLs might prove useful. https://wiki2.dovecot.org/HowTo/PostfixDovecotLMTP https://doc.dovecot.org/configuration_manual/protocols/lmtp_server/#lmtp-ser... https://doc.dovecot.org/configuration_manual/howto/postfix_dovecot_lmtp/
I also use Postfix/Dovecot with LMTP.
-- Jerry
participants (4)
-
Alexander Dalloz
-
Jerry
-
Shawn Heisey
-
ミユナ (alice)