Hi,

Thanks you very much. This did the trick!

On 6. Apr 2018, at 15:56, Stephan Bosch stephan@rename-it.nl wrote:

Op 6-4-2018 om 13:52 schreef Paul Hecker:

...

Hi,

Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) authentication to the SMTP server using submission. Reason why I need it is sender spoofing (do not want my employees to send messages in behalf of me).

In exim I can disable sender spoofing with the authenticated user. When sending through dovecot, exim either does not accept the email (need auth) or relay every sender address (because relaying from localhost).

Am I missing a setting or do I need any additional field in the (MySQL) user_query/password_query to forward the password?

You can find my config here:

https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8

That would be possible using the following SMTP AUTH feature:

https://tools.ietf.org/html/rfc4954#section-5

Which is apparently supported by Exim: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentica... This requires explicit configuration, so it will not work out of the box.

Here is what I did:

I had to add the acl_smtp_mailauth to only allow this on a certain port. Then I had to duplicate my code for sender spoofing for authenticated users and change the $authenticated_id -> $authenticated_sender.

Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually sends the MAIL AUTH parameter.

The Dovecot Submission service should support this too. It sends an AUTH parameter with the MAIL command (currently only then the username is a valid SMTP address). However, I must say, I haven't tested this recently.

I can confirm that it works (only with TLS with my current configuration, see above).

I can try this in a few days. Feel free to experiment with this yourself.

Regards,

Stephan.

Thanks again, Paul

Hi,

On 6. Apr 2018, at 18:58, Odhiambo Washington odhiambo@gmail.com wrote:

Hi Paul,

Care to share your config (even OFFLIST) that has successfully integrated Dovecot Submission service with Exim??

here the steps I have done to integrate Dovecot submission in Exim:

• Create and set the acl_smtp_mailauth ACL:

acl_smtp_mailauth = acl_check_mailauth

acl_check_mailauth: accept hosts = <; 127.0.0.1 ; ::1 condition = ${if eq{$interface_port}{10025}} log_message = Will accept MAIL AUTH parameter for $authenticated_sender

deny

• add a deny fo all connections to 10025 without MAIL AUTH parameter in acl_smtp_mail ACL:

  deny condition = ${if eq{$interface_port}{10025}} condition = ${if eq{$authenticated_sender}{}} message = All connections on port $interface_port need MAIL AUTH sender

• in Dovecot, add the following submission parameters

submission_relay_port = 10025 submission_relay_ssl = starttls submission_relay_ssl_verify = no

All the remaining parts of the Dovecot config is the default for submission protocol/service, copied either from the sources (default config) or from here:

https://wiki.dovecot.org/Submission

Feel free is you have any further questions.

Regards, Paul

I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this.

Thanks in advance.

On 6 April 2018 at 19:15, Paul Hecker paul@iwascoding.com wrote: Hi,

Thanks you very much. This did the trick!

...

On 6. Apr 2018, at 15:56, Stephan Bosch stephan@rename-it.nl wrote:

Op 6-4-2018 om 13:52 schreef Paul Hecker:

...

Hi,

Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) authentication to the SMTP server using submission. Reason why I need it is sender spoofing (do not want my employees to send messages in behalf of me).

In exim I can disable sender spoofing with the authenticated user. When sending through dovecot, exim either does not accept the email (need auth) or relay every sender address (because relaying from localhost).

Am I missing a setting or do I need any additional field in the (MySQL) user_query/password_query to forward the password?

You can find my config here:

https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8

That would be possible using the following SMTP AUTH feature:

https://tools.ietf.org/html/rfc4954#section-5

Which is apparently supported by Exim: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentica... This requires explicit configuration, so it will not work out of the box.

Here is what I did:

I had to add the acl_smtp_mailauth to only allow this on a certain port. Then I had to duplicate my code for sender spoofing for authenticated users and change the $authenticated_id -> $authenticated_sender.

Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually sends the MAIL AUTH parameter.

...

The Dovecot Submission service should support this too. It sends an AUTH parameter with the MAIL command (currently only then the username is a valid SMTP address). However, I must say, I haven't tested this recently.

I can confirm that it works (only with TLS with my current configuration, see above).

...

I can try this in a few days. Feel free to experiment with this yourself.

Regards,

Stephan.

Thanks again, Paul

-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."

Hi Jacky,

in postfix/main.cf you typically set something like

smtpd_sasl_auth_enable=yes smtpd_sasl_type=cyrus smtpd_sasl_exceptions_networks=$mynetworks smtpd_sasl_security_options=noanonymous smtpd_sasl_authenticated_header=yes broken_sasl_auth_clients=yes smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

smtpd_recipient_restrictions might already exist in main.cf and in that case has to be extended

postfix can verify login/passwords via sasl but it does not store these credentials, so you need to install saslauthd and add user/pass there or use a dovecot instance that already authenticates users for pop/imap.

http://www.postfix.org/SASL_README.html https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL

Best regards Gerald

Am 09.01.2019 um 10:15 schrieb Jacky jacky@jesstech.com:

Hi,

Anyone know how to enable this SMTP AUTH feature with Postfix?

Regards,

Jacky

On 7/4/2018 3:40 AM, Paul Hecker wrote:

...

Hi,

...

On 6. Apr 2018, at 18:58, Odhiambo Washington odhiambo@gmail.com wrote:

Hi Paul,

Care to share your config (even OFFLIST) that has successfully integrated Dovecot Submission service with Exim?? here the steps I have done to integrate Dovecot submission in Exim:

• Create and set the acl_smtp_mailauth ACL:

acl_smtp_mailauth = acl_check_mailauth

acl_check_mailauth: accept hosts = <; 127.0.0.1 ; ::1 condition = ${if eq{$interface_port}{10025}} log_message = Will accept MAIL AUTH parameter for $authenticated_sender deny

• add a deny fo all connections to 10025 without MAIL AUTH parameter in acl_smtp_mail ACL:

  deny condition = ${if eq{$interface_port}{10025}} condition = ${if eq{$authenticated_sender}{}} message = All connections on port $interface_port need MAIL AUTH sender

• in Dovecot, add the following submission parameters

submission_relay_port = 10025 submission_relay_ssl = starttls submission_relay_ssl_verify = no

All the remaining parts of the Dovecot config is the default for submission protocol/service, copied either from the sources (default config) or from here:

https://wiki.dovecot.org/Submission

Feel free is you have any further questions.

Regards, Paul

...

I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this.

Thanks in advance.

On 6 April 2018 at 19:15, Paul Hecker paul@iwascoding.com wrote: Hi,

Thanks you very much. This did the trick!

...

On 6. Apr 2018, at 15:56, Stephan Bosch stephan@rename-it.nl wrote:

Op 6-4-2018 om 13:52 schreef Paul Hecker:

...

Hi,

Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) authentication to the SMTP server using submission. Reason why I need it is sender spoofing (do not want my employees to send messages in behalf of me).

In exim I can disable sender spoofing with the authenticated user. When sending through dovecot, exim either does not accept the email (need auth) or relay every sender address (because relaying from localhost).

Am I missing a setting or do I need any additional field in the (MySQL) user_query/password_query to forward the password?

You can find my config here:

https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8 That would be possible using the following SMTP AUTH feature:

https://tools.ietf.org/html/rfc4954#section-5

Which is apparently supported by Exim: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentica... This requires explicit configuration, so it will not work out of the box. Here is what I did:

I had to add the acl_smtp_mailauth to only allow this on a certain port. Then I had to duplicate my code for sender spoofing for authenticated users and change the $authenticated_id -> $authenticated_sender.

Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually sends the MAIL AUTH parameter.

...

The Dovecot Submission service should support this too. It sends an AUTH parameter with the MAIL command (currently only then the username is a valid SMTP address). However, I must say, I haven't tested this recently. I can confirm that it works (only with TLS with my current configuration, see above).

...

I can try this in a few days. Feel free to experiment with this yourself.

Regards,

Stephan. Thanks again, Paul

-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."

Hi Jacky,

if postfix did not log a specific error to your maillog you could change smtpd to smtpd -v in master.cf to get more debug output or use debug_peer_list to see what smtp commands are sent:

http://www.postfix.org/DEBUG_README.html

Typically smtp auth looks like this:

S: 220 smtp.example.com ESMTP server ready C: EHLO jgm.example.com S: 250-smtp.example.com S: 250 AUTH CRAM-MD5 DIGEST-MD5 C: AUTH FOOBAR S: 504 Unrecognized authentication type.

or

C: AUTH CRAM-MD5 S: 334 PENCeUxFREJoU0NnbmhNWitOMjNGNndAZWx3b29kLmlubm9zb2Z0LmNvbT4= C: ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg2ZQ== S: 235 Authentication successful.

C = client, S = server

Depending on your setup the password (maybe base64 encoded) or hash must also be sent for verification.

Or you could try to authenticate with a master user for all connections by setting

submission_relay_master_user = submission_relay_password =

in dovecot, see https://wiki.dovecot.org/Submission

Best regards Gerald

Am 09.01.2019 um 11:08 schrieb Jacky jacky@jesstech.com:

Hi Gerald,

in my postfix/main.cf

smtpd_sasl_authenticated_header = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname smtpd_sasl_type = dovecot smtpd_sasl_path = /var/run/dovecot/auth-client broken_sasl_auth_clients = yes

I am already using dovecot for SASL

The dovecot submission service authenticates users and already added the AUTH= parameter in the MAIL FROM

MAIL FROM:jacky@xxx.com AUTH=jacky@xxx.com SIZE=1430

But, it seems that postfix does not accept the AUTH= parameter and reject the sender as no logged in.

Best regards,

Jacky

On 9/1/2019 5:49 PM, Gerald Galster wrote:

...

Hi Jacky,

in postfix/main.cf you typically set something like

smtpd_sasl_auth_enable=yes smtpd_sasl_type=cyrus smtpd_sasl_exceptions_networks=$mynetworks smtpd_sasl_security_options=noanonymous smtpd_sasl_authenticated_header=yes broken_sasl_auth_clients=yes smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

smtpd_recipient_restrictions might already exist in main.cf and in that case has to be extended

postfix can verify login/passwords via sasl but it does not store these credentials, so you need to install saslauthd and add user/pass there or use a dovecot instance that already authenticates users for pop/imap.

http://www.postfix.org/SASL_README.html https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL

Best regards Gerald

...

Am 09.01.2019 um 10:15 schrieb Jacky jacky@jesstech.com:

Hi,

Anyone know how to enable this SMTP AUTH feature with Postfix?

Regards,

Jacky

On 7/4/2018 3:40 AM, Paul Hecker wrote:

...

Hi,

...

On 6. Apr 2018, at 18:58, Odhiambo Washington odhiambo@gmail.com wrote:

Hi Paul,

Care to share your config (even OFFLIST) that has successfully integrated Dovecot Submission service with Exim?? here the steps I have done to integrate Dovecot submission in Exim:

• Create and set the acl_smtp_mailauth ACL:

acl_smtp_mailauth = acl_check_mailauth

acl_check_mailauth: accept hosts = <; 127.0.0.1 ; ::1 condition = ${if eq{$interface_port}{10025}} log_message = Will accept MAIL AUTH parameter for $authenticated_sender deny

• add a deny fo all connections to 10025 without MAIL AUTH parameter in acl_smtp_mail ACL:

  deny condition = ${if eq{$interface_port}{10025}} condition = ${if eq{$authenticated_sender}{}} message = All connections on port $interface_port need MAIL AUTH sender

• in Dovecot, add the following submission parameters

submission_relay_port = 10025 submission_relay_ssl = starttls submission_relay_ssl_verify = no

All the remaining parts of the Dovecot config is the default for submission protocol/service, copied either from the sources (default config) or from here:

https://wiki.dovecot.org/Submission

Feel free is you have any further questions.

Regards, Paul

...

I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this.

Thanks in advance.

On 6 April 2018 at 19:15, Paul Hecker paul@iwascoding.com wrote: Hi,

Thanks you very much. This did the trick!

...

On 6. Apr 2018, at 15:56, Stephan Bosch stephan@rename-it.nl wrote:

Op 6-4-2018 om 13:52 schreef Paul Hecker: > Hi, > > Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) authentication to the SMTP server using submission. Reason why I need it is sender spoofing (do not want my employees to send messages in behalf of me). > > In exim I can disable sender spoofing with the authenticated user. When sending through dovecot, exim either does not accept the email (need auth) or relay every sender address (because relaying from localhost). > > Am I missing a setting or do I need any additional field in the (MySQL) user_query/password_query to forward the password? > > You can find my config here: > > https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8 That would be possible using the following SMTP AUTH feature:

https://tools.ietf.org/html/rfc4954#section-5

Which is apparently supported by Exim: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentica... This requires explicit configuration, so it will not work out of the box. Here is what I did:

I had to add the acl_smtp_mailauth to only allow this on a certain port. Then I had to duplicate my code for sender spoofing for authenticated users and change the $authenticated_id -> $authenticated_sender.

Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually sends the MAIL AUTH parameter.

...

The Dovecot Submission service should support this too. It sends an AUTH parameter with the MAIL command (currently only then the username is a valid SMTP address). However, I must say, I haven't tested this recently. I can confirm that it works (only with TLS with my current configuration, see above).

...

I can try this in a few days. Feel free to experiment with this yourself.

Regards,

Stephan. Thanks again, Paul

-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."

Hi Gerald and Odhiambo Washington,

Thank you for your suggestions and will try them out.

Best regards,

Jacky

On 9/1/2019 6:38 PM, Odhiambo Washington wrote:

On Wed, 9 Jan 2019 at 13:09, Jacky mailto:jacky@jesstech.com> wrote:

Hi Gerald,

in my postfix/main.cf <http://main.cf>

smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/run/dovecot/auth-client
broken_sasl_auth_clients = yes

I am already using dovecot for SASL

The dovecot submission service authenticates users and already
added the
AUTH= parameter in the MAIL FROM

MAIL FROM:<jacky@xxx.com <mailto:jacky@xxx.com>>
AUTH=jacky@xxx.com <mailto:jacky@xxx.com> SIZE=1430

But, it seems that postfix does not accept the AUTH= parameter and
reject the sender as no logged in.


Best regards,

Jacky

Hi Jacky,

Your question belongs to postfix mailinng list.

Anyway, the last time I was playing with postfix (I am an Exim user normally), I had to check that: smtpd_sasl_path = /var/run/dovecot/auth-client

..the socket is readable by the postfix user:

So, check 10-master.conf for the socket. Something like:

# Postfix smtp-auth unix_listener var/run/dovecot/auth-client  { mode = 0666 }

Restart dovecot and see...

You can read the https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL

-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)

Op 11/01/2019 om 02:52 schreef Jacky:

Hi,

Just found out that Postfix does not implement/support the AUTH=sender parameter.

So, back to Dovecot, can we use variables in the

submission_relay_user = submission_relay_password =

No, that is not supported. :/

then Dovecot will forward the username and password information of the current user to the Postfix submission service for authentication?

Would Postfix do something with the XCLIENT LOGIN field in that regard?

(Note that 2.3.4 messes up XCLIENT in several ways, so --- if Postfix can do this --- you'll have to wait for the next release).

Regards,

Stephan.

Best regards,

Jacky

On 10/1/2019 10:46 AM, Jacky wrote:

...

Hi Gerald and Odhiambo Washington,

Thank you for your suggestions and will try them out.

Best regards,

Jacky

On 9/1/2019 6:38 PM, Odhiambo Washington wrote:

...

On Wed, 9 Jan 2019 at 13:09, Jacky mailto:jacky@jesstech.com> wrote:

Hi Gerald,

in my postfix/main.cf <http://main.cf>

smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/run/dovecot/auth-client
broken_sasl_auth_clients = yes

I am already using dovecot for SASL

The dovecot submission service authenticates users and already
added the
AUTH= parameter in the MAIL FROM

MAIL FROM:<jacky@xxx.com <mailto:jacky@xxx.com>>
AUTH=jacky@xxx.com <mailto:jacky@xxx.com> SIZE=1430

But, it seems that postfix does not accept the AUTH= parameter and
reject the sender as no logged in.


Best regards,

Jacky

Hi Jacky,

Your question belongs to postfix mailinng list.

Anyway, the last time I was playing with postfix (I am an Exim user normally), I had to check that: smtpd_sasl_path = /var/run/dovecot/auth-client

..the socket is readable by the postfix user:

So, check 10-master.conf for the socket. Something like:

# Postfix smtp-auth unix_listener  var/run/dovecot/auth-client  { mode = 0666 }

Restart dovecot and see...

You can read the https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL

-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)