Hi,
Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) authentication to the SMTP server using submission. Reason why I need it is sender spoofing (do not want my employees to send messages in behalf of me).
In exim I can disable sender spoofing with the authenticated user. When sending through dovecot, exim either does not accept the email (need auth) or relay every sender address (because relaying from localhost).
Am I missing a setting or do I need any additional field in the (MySQL) user_query/password_query to forward the password?
You can find my config here:
https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8
Thanks, Paul
Op 6-4-2018 om 13:52 schreef Paul Hecker:
Hi,
Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) authentication to the SMTP server using submission. Reason why I need it is sender spoofing (do not want my employees to send messages in behalf of me).
In exim I can disable sender spoofing with the authenticated user. When sending through dovecot, exim either does not accept the email (need auth) or relay every sender address (because relaying from localhost).
Am I missing a setting or do I need any additional field in the (MySQL) user_query/password_query to forward the password?
You can find my config here:
https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8
That would be possible using the following SMTP AUTH feature:
https://tools.ietf.org/html/rfc4954#section-5
Which is apparently supported by Exim: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentica... This requires explicit configuration, so it will not work out of the box.
The Dovecot Submission service should support this too. It sends an AUTH parameter with the MAIL command (currently only then the username is a valid SMTP address). However, I must say, I haven't tested this recently.
I can try this in a few days. Feel free to experiment with this yourself.
Regards,
Stephan.
Hi,
Thanks you very much. This did the trick!
On 6. Apr 2018, at 15:56, Stephan Bosch <stephan@rename-it.nl> wrote:
Op 6-4-2018 om 13:52 schreef Paul Hecker:
Hi,
Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) authentication to the SMTP server using submission. Reason why I need it is sender spoofing (do not want my employees to send messages in behalf of me).
In exim I can disable sender spoofing with the authenticated user. When sending through dovecot, exim either does not accept the email (need auth) or relay every sender address (because relaying from localhost).
Am I missing a setting or do I need any additional field in the (MySQL) user_query/password_query to forward the password?
You can find my config here:
https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8
That would be possible using the following SMTP AUTH feature:
https://tools.ietf.org/html/rfc4954#section-5
Which is apparently supported by Exim: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentica... This requires explicit configuration, so it will not work out of the box.
Here is what I did:
I had to add the acl_smtp_mailauth to only allow this on a certain port. Then I had to duplicate my code for sender spoofing for authenticated users and change the $authenticated_id -> $authenticated_sender.
Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually sends the MAIL AUTH parameter.
The Dovecot Submission service should support this too. It sends an AUTH parameter with the MAIL command (currently only then the username is a valid SMTP address). However, I must say, I haven't tested this recently.
I can confirm that it works (only with TLS with my current configuration, see above).
I can try this in a few days. Feel free to experiment with this yourself.
Regards,
Stephan.
Thanks again, Paul
Hi Paul,
Care to share your config (even OFFLIST) that has successfully integrated Dovecot Submission service with Exim??
I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this.
Thanks in advance.
On 6 April 2018 at 19:15, Paul Hecker <paul@iwascoding.com> wrote:
Hi,
Thanks you very much. This did the trick!
On 6. Apr 2018, at 15:56, Stephan Bosch <stephan@rename-it.nl> wrote:
Op 6-4-2018 om 13:52 schreef Paul Hecker:
Hi,
Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) authentication to the SMTP server using submission. Reason why I need it is sender spoofing (do not want my employees to send messages in behalf of me).
In exim I can disable sender spoofing with the authenticated user. When sending through dovecot, exim either does not accept the email (need auth) or relay every sender address (because relaying from localhost).
Am I missing a setting or do I need any additional field in the (MySQL) user_query/password_query to forward the password?
You can find my config here:
https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8
That would be possible using the following SMTP AUTH feature:
https://tools.ietf.org/html/rfc4954#section-5
Which is apparently supported by Exim: https://www.exim.org/exim- html-current/doc/html/spec_html/ch-smtp_authentication. html#SECTauthparamail This requires explicit configuration, so it will not work out of the box.
Here is what I did:
I had to add the acl_smtp_mailauth to only allow this on a certain port. Then I had to duplicate my code for sender spoofing for authenticated users and change the $authenticated_id -> $authenticated_sender.
Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually sends the MAIL AUTH parameter.
The Dovecot Submission service should support this too. It sends an AUTH
parameter with the MAIL command (currently only then the username is a valid SMTP address). However, I must say, I haven't tested this recently.
I can confirm that it works (only with TLS with my current configuration, see above).
I can try this in a few days. Feel free to experiment with this yourself.
Regards,
Stephan.
Thanks again, Paul
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."
Hi,
On 6. Apr 2018, at 18:58, Odhiambo Washington <odhiambo@gmail.com> wrote:
Hi Paul,
Care to share your config (even OFFLIST) that has successfully integrated Dovecot Submission service with Exim??
here the steps I have done to integrate Dovecot submission in Exim:
- Create and set the acl_smtp_mailauth ACL:
acl_smtp_mailauth = acl_check_mailauth
acl_check_mailauth: accept hosts = <; 127.0.0.1 ; ::1 condition = ${if eq{$interface_port}{10025}} log_message = Will accept MAIL AUTH parameter for $authenticated_sender
deny
add a deny fo all connections to 10025 without MAIL AUTH parameter in acl_smtp_mail ACL:
deny condition = ${if eq{$interface_port}{10025}} condition = ${if eq{$authenticated_sender}{}} message = All connections on port $interface_port need MAIL AUTH sender
in Dovecot, add the following submission parameters
submission_relay_port = 10025 submission_relay_ssl = starttls submission_relay_ssl_verify = no
All the remaining parts of the Dovecot config is the default for submission protocol/service, copied either from the sources (default config) or from here:
https://wiki.dovecot.org/Submission
Feel free is you have any further questions.
Regards, Paul
I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this.
Thanks in advance.
On 6 April 2018 at 19:15, Paul Hecker <paul@iwascoding.com> wrote: Hi,
Thanks you very much. This did the trick!
On 6. Apr 2018, at 15:56, Stephan Bosch <stephan@rename-it.nl> wrote:
Op 6-4-2018 om 13:52 schreef Paul Hecker:
Hi,
Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) authentication to the SMTP server using submission. Reason why I need it is sender spoofing (do not want my employees to send messages in behalf of me).
In exim I can disable sender spoofing with the authenticated user. When sending through dovecot, exim either does not accept the email (need auth) or relay every sender address (because relaying from localhost).
Am I missing a setting or do I need any additional field in the (MySQL) user_query/password_query to forward the password?
You can find my config here:
https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8
That would be possible using the following SMTP AUTH feature:
https://tools.ietf.org/html/rfc4954#section-5
Which is apparently supported by Exim: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentica... This requires explicit configuration, so it will not work out of the box.
Here is what I did:
I had to add the acl_smtp_mailauth to only allow this on a certain port. Then I had to duplicate my code for sender spoofing for authenticated users and change the $authenticated_id -> $authenticated_sender.
Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually sends the MAIL AUTH parameter.
The Dovecot Submission service should support this too. It sends an AUTH parameter with the MAIL command (currently only then the username is a valid SMTP address). However, I must say, I haven't tested this recently.
I can confirm that it works (only with TLS with my current configuration, see above).
I can try this in a few days. Feel free to experiment with this yourself.
Regards,
Stephan.
Thanks again, Paul
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."
Hi,
Anyone know how to enable this SMTP AUTH feature with Postfix?
Regards,
Jacky
On 7/4/2018 3:40 AM, Paul Hecker wrote:
Hi,
On 6. Apr 2018, at 18:58, Odhiambo Washington <odhiambo@gmail.com> wrote:
Hi Paul,
Care to share your config (even OFFLIST) that has successfully integrated Dovecot Submission service with Exim?? here the steps I have done to integrate Dovecot submission in Exim:
- Create and set the acl_smtp_mailauth ACL:
acl_smtp_mailauth = acl_check_mailauth
acl_check_mailauth: accept hosts = <; 127.0.0.1 ; ::1 condition = ${if eq{$interface_port}{10025}} log_message = Will accept MAIL AUTH parameter for $authenticated_sender deny
add a deny fo all connections to 10025 without MAIL AUTH parameter in acl_smtp_mail ACL:
deny condition = ${if eq{$interface_port}{10025}} condition = ${if eq{$authenticated_sender}{}} message = All connections on port $interface_port need MAIL AUTH sender
in Dovecot, add the following submission parameters
submission_relay_port = 10025 submission_relay_ssl = starttls submission_relay_ssl_verify = no
All the remaining parts of the Dovecot config is the default for submission protocol/service, copied either from the sources (default config) or from here:
https://wiki.dovecot.org/Submission
Feel free is you have any further questions.
Regards, Paul
I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this.
Thanks in advance.
On 6 April 2018 at 19:15, Paul Hecker <paul@iwascoding.com> wrote: Hi,
Thanks you very much. This did the trick!
On 6. Apr 2018, at 15:56, Stephan Bosch <stephan@rename-it.nl> wrote:
Op 6-4-2018 om 13:52 schreef Paul Hecker:
Hi,
Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) authentication to the SMTP server using submission. Reason why I need it is sender spoofing (do not want my employees to send messages in behalf of me).
In exim I can disable sender spoofing with the authenticated user. When sending through dovecot, exim either does not accept the email (need auth) or relay every sender address (because relaying from localhost).
Am I missing a setting or do I need any additional field in the (MySQL) user_query/password_query to forward the password?
You can find my config here:
https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8 That would be possible using the following SMTP AUTH feature:
https://tools.ietf.org/html/rfc4954#section-5
Which is apparently supported by Exim: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentica... This requires explicit configuration, so it will not work out of the box. Here is what I did:
I had to add the acl_smtp_mailauth to only allow this on a certain port. Then I had to duplicate my code for sender spoofing for authenticated users and change the $authenticated_id -> $authenticated_sender.
Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually sends the MAIL AUTH parameter.
The Dovecot Submission service should support this too. It sends an AUTH parameter with the MAIL command (currently only then the username is a valid SMTP address). However, I must say, I haven't tested this recently. I can confirm that it works (only with TLS with my current configuration, see above).
I can try this in a few days. Feel free to experiment with this yourself.
Regards,
Stephan. Thanks again, Paul
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."
Hi Jacky,
in postfix/main.cf you typically set something like
smtpd_sasl_auth_enable=yes smtpd_sasl_type=cyrus smtpd_sasl_exceptions_networks=$mynetworks smtpd_sasl_security_options=noanonymous smtpd_sasl_authenticated_header=yes broken_sasl_auth_clients=yes smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_recipient_restrictions might already exist in main.cf and in that case has to be extended
postfix can verify login/passwords via sasl but it does not store these credentials, so you need to install saslauthd and add user/pass there or use a dovecot instance that already authenticates users for pop/imap.
http://www.postfix.org/SASL_README.html https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL
Best regards Gerald
Am 09.01.2019 um 10:15 schrieb Jacky <jacky@jesstech.com>:
Hi,
Anyone know how to enable this SMTP AUTH feature with Postfix?
Regards,
Jacky
On 7/4/2018 3:40 AM, Paul Hecker wrote:
Hi,
On 6. Apr 2018, at 18:58, Odhiambo Washington <odhiambo@gmail.com> wrote:
Hi Paul,
Care to share your config (even OFFLIST) that has successfully integrated Dovecot Submission service with Exim?? here the steps I have done to integrate Dovecot submission in Exim:
- Create and set the acl_smtp_mailauth ACL:
acl_smtp_mailauth = acl_check_mailauth
acl_check_mailauth: accept hosts = <; 127.0.0.1 ; ::1 condition = ${if eq{$interface_port}{10025}} log_message = Will accept MAIL AUTH parameter for $authenticated_sender deny
add a deny fo all connections to 10025 without MAIL AUTH parameter in acl_smtp_mail ACL:
deny condition = ${if eq{$interface_port}{10025}} condition = ${if eq{$authenticated_sender}{}} message = All connections on port $interface_port need MAIL AUTH sender
in Dovecot, add the following submission parameters
submission_relay_port = 10025 submission_relay_ssl = starttls submission_relay_ssl_verify = no
All the remaining parts of the Dovecot config is the default for submission protocol/service, copied either from the sources (default config) or from here:
https://wiki.dovecot.org/Submission
Feel free is you have any further questions.
Regards, Paul
I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this.
Thanks in advance.
On 6 April 2018 at 19:15, Paul Hecker <paul@iwascoding.com> wrote: Hi,
Thanks you very much. This did the trick!
On 6. Apr 2018, at 15:56, Stephan Bosch <stephan@rename-it.nl> wrote:
Op 6-4-2018 om 13:52 schreef Paul Hecker:
Hi,
Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) authentication to the SMTP server using submission. Reason why I need it is sender spoofing (do not want my employees to send messages in behalf of me).
In exim I can disable sender spoofing with the authenticated user. When sending through dovecot, exim either does not accept the email (need auth) or relay every sender address (because relaying from localhost).
Am I missing a setting or do I need any additional field in the (MySQL) user_query/password_query to forward the password?
You can find my config here:
https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8 That would be possible using the following SMTP AUTH feature:
https://tools.ietf.org/html/rfc4954#section-5
Which is apparently supported by Exim: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentica... This requires explicit configuration, so it will not work out of the box. Here is what I did:
I had to add the acl_smtp_mailauth to only allow this on a certain port. Then I had to duplicate my code for sender spoofing for authenticated users and change the $authenticated_id -> $authenticated_sender.
Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually sends the MAIL AUTH parameter.
The Dovecot Submission service should support this too. It sends an AUTH parameter with the MAIL command (currently only then the username is a valid SMTP address). However, I must say, I haven't tested this recently. I can confirm that it works (only with TLS with my current configuration, see above).
I can try this in a few days. Feel free to experiment with this yourself.
Regards,
Stephan. Thanks again, Paul
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."
Hi Gerald,
in my postfix/main.cf
smtpd_sasl_authenticated_header = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname smtpd_sasl_type = dovecot smtpd_sasl_path = /var/run/dovecot/auth-client broken_sasl_auth_clients = yes
I am already using dovecot for SASL
The dovecot submission service authenticates users and already added the AUTH= parameter in the MAIL FROM
MAIL FROM:<jacky@xxx.com> AUTH=jacky@xxx.com SIZE=1430
But, it seems that postfix does not accept the AUTH= parameter and reject the sender as no logged in.
Best regards,
Jacky
On 9/1/2019 5:49 PM, Gerald Galster wrote:
Hi Jacky,
in postfix/main.cf you typically set something like
smtpd_sasl_auth_enable=yes smtpd_sasl_type=cyrus smtpd_sasl_exceptions_networks=$mynetworks smtpd_sasl_security_options=noanonymous smtpd_sasl_authenticated_header=yes broken_sasl_auth_clients=yes smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_recipient_restrictions might already exist in main.cf and in that case has to be extended
postfix can verify login/passwords via sasl but it does not store these credentials, so you need to install saslauthd and add user/pass there or use a dovecot instance that already authenticates users for pop/imap.
http://www.postfix.org/SASL_README.html https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL
Best regards Gerald
Am 09.01.2019 um 10:15 schrieb Jacky <jacky@jesstech.com>:
Hi,
Anyone know how to enable this SMTP AUTH feature with Postfix?
Regards,
Jacky
On 7/4/2018 3:40 AM, Paul Hecker wrote:
Hi,
On 6. Apr 2018, at 18:58, Odhiambo Washington <odhiambo@gmail.com> wrote:
Hi Paul,
Care to share your config (even OFFLIST) that has successfully integrated Dovecot Submission service with Exim?? here the steps I have done to integrate Dovecot submission in Exim:
- Create and set the acl_smtp_mailauth ACL:
acl_smtp_mailauth = acl_check_mailauth
acl_check_mailauth: accept hosts = <; 127.0.0.1 ; ::1 condition = ${if eq{$interface_port}{10025}} log_message = Will accept MAIL AUTH parameter for $authenticated_sender deny
add a deny fo all connections to 10025 without MAIL AUTH parameter in acl_smtp_mail ACL:
deny condition = ${if eq{$interface_port}{10025}} condition = ${if eq{$authenticated_sender}{}} message = All connections on port $interface_port need MAIL AUTH sender
in Dovecot, add the following submission parameters
submission_relay_port = 10025 submission_relay_ssl = starttls submission_relay_ssl_verify = no
All the remaining parts of the Dovecot config is the default for submission protocol/service, copied either from the sources (default config) or from here:
https://wiki.dovecot.org/Submission
Feel free is you have any further questions.
Regards, Paul
I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this.
Thanks in advance.
On 6 April 2018 at 19:15, Paul Hecker <paul@iwascoding.com> wrote: Hi,
Thanks you very much. This did the trick!
On 6. Apr 2018, at 15:56, Stephan Bosch <stephan@rename-it.nl> wrote:
Op 6-4-2018 om 13:52 schreef Paul Hecker:
Hi,
Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) authentication to the SMTP server using submission. Reason why I need it is sender spoofing (do not want my employees to send messages in behalf of me).
In exim I can disable sender spoofing with the authenticated user. When sending through dovecot, exim either does not accept the email (need auth) or relay every sender address (because relaying from localhost).
Am I missing a setting or do I need any additional field in the (MySQL) user_query/password_query to forward the password?
You can find my config here:
https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8 That would be possible using the following SMTP AUTH feature:
https://tools.ietf.org/html/rfc4954#section-5
Which is apparently supported by Exim: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentica... This requires explicit configuration, so it will not work out of the box. Here is what I did:
I had to add the acl_smtp_mailauth to only allow this on a certain port. Then I had to duplicate my code for sender spoofing for authenticated users and change the $authenticated_id -> $authenticated_sender.
Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually sends the MAIL AUTH parameter.
The Dovecot Submission service should support this too. It sends an AUTH parameter with the MAIL command (currently only then the username is a valid SMTP address). However, I must say, I haven't tested this recently. I can confirm that it works (only with TLS with my current configuration, see above).
I can try this in a few days. Feel free to experiment with this yourself.
Regards,
Stephan. Thanks again, Paul
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."
Hi Jacky,
if postfix did not log a specific error to your maillog you could change smtpd to smtpd -v in master.cf to get more debug output or use debug_peer_list to see what smtp commands are sent:
http://www.postfix.org/DEBUG_README.html
Typically smtp auth looks like this:
S: 220 smtp.example.com ESMTP server ready C: EHLO jgm.example.com S: 250-smtp.example.com S: 250 AUTH CRAM-MD5 DIGEST-MD5 C: AUTH FOOBAR S: 504 Unrecognized authentication type.
or
C: AUTH CRAM-MD5 S: 334 PENCeUxFREJoU0NnbmhNWitOMjNGNndAZWx3b29kLmlubm9zb2Z0LmNvbT4= C: ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg2ZQ== S: 235 Authentication successful.
C = client, S = server
Depending on your setup the password (maybe base64 encoded) or hash must also be sent for verification.
Or you could try to authenticate with a master user for all connections by setting
submission_relay_master_user = submission_relay_password =
in dovecot, see https://wiki.dovecot.org/Submission
Best regards Gerald
Am 09.01.2019 um 11:08 schrieb Jacky <jacky@jesstech.com>:
Hi Gerald,
in my postfix/main.cf
smtpd_sasl_authenticated_header = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname smtpd_sasl_type = dovecot smtpd_sasl_path = /var/run/dovecot/auth-client broken_sasl_auth_clients = yes
I am already using dovecot for SASL
The dovecot submission service authenticates users and already added the AUTH= parameter in the MAIL FROM
MAIL FROM:<jacky@xxx.com> AUTH=jacky@xxx.com SIZE=1430
But, it seems that postfix does not accept the AUTH= parameter and reject the sender as no logged in.
Best regards,
Jacky
On 9/1/2019 5:49 PM, Gerald Galster wrote:
Hi Jacky,
in postfix/main.cf you typically set something like
smtpd_sasl_auth_enable=yes smtpd_sasl_type=cyrus smtpd_sasl_exceptions_networks=$mynetworks smtpd_sasl_security_options=noanonymous smtpd_sasl_authenticated_header=yes broken_sasl_auth_clients=yes smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_recipient_restrictions might already exist in main.cf and in that case has to be extended
postfix can verify login/passwords via sasl but it does not store these credentials, so you need to install saslauthd and add user/pass there or use a dovecot instance that already authenticates users for pop/imap.
http://www.postfix.org/SASL_README.html https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL
Best regards Gerald
Am 09.01.2019 um 10:15 schrieb Jacky <jacky@jesstech.com>:
Hi,
Anyone know how to enable this SMTP AUTH feature with Postfix?
Regards,
Jacky
On 7/4/2018 3:40 AM, Paul Hecker wrote:
Hi,
On 6. Apr 2018, at 18:58, Odhiambo Washington <odhiambo@gmail.com> wrote:
Hi Paul,
Care to share your config (even OFFLIST) that has successfully integrated Dovecot Submission service with Exim?? here the steps I have done to integrate Dovecot submission in Exim:
- Create and set the acl_smtp_mailauth ACL:
acl_smtp_mailauth = acl_check_mailauth
acl_check_mailauth: accept hosts = <; 127.0.0.1 ; ::1 condition = ${if eq{$interface_port}{10025}} log_message = Will accept MAIL AUTH parameter for $authenticated_sender deny
add a deny fo all connections to 10025 without MAIL AUTH parameter in acl_smtp_mail ACL:
deny condition = ${if eq{$interface_port}{10025}} condition = ${if eq{$authenticated_sender}{}} message = All connections on port $interface_port need MAIL AUTH sender
in Dovecot, add the following submission parameters
submission_relay_port = 10025 submission_relay_ssl = starttls submission_relay_ssl_verify = no
All the remaining parts of the Dovecot config is the default for submission protocol/service, copied either from the sources (default config) or from here:
https://wiki.dovecot.org/Submission
Feel free is you have any further questions.
Regards, Paul
I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this.
Thanks in advance.
On 6 April 2018 at 19:15, Paul Hecker <paul@iwascoding.com> wrote: Hi,
Thanks you very much. This did the trick!
On 6. Apr 2018, at 15:56, Stephan Bosch <stephan@rename-it.nl> wrote:
Op 6-4-2018 om 13:52 schreef Paul Hecker: > Hi, > > Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) authentication to the SMTP server using submission. Reason why I need it is sender spoofing (do not want my employees to send messages in behalf of me). > > In exim I can disable sender spoofing with the authenticated user. When sending through dovecot, exim either does not accept the email (need auth) or relay every sender address (because relaying from localhost). > > Am I missing a setting or do I need any additional field in the (MySQL) user_query/password_query to forward the password? > > You can find my config here: > > https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8 That would be possible using the following SMTP AUTH feature:
https://tools.ietf.org/html/rfc4954#section-5
Which is apparently supported by Exim: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentica... This requires explicit configuration, so it will not work out of the box. Here is what I did:
I had to add the acl_smtp_mailauth to only allow this on a certain port. Then I had to duplicate my code for sender spoofing for authenticated users and change the $authenticated_id -> $authenticated_sender.
Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually sends the MAIL AUTH parameter.
The Dovecot Submission service should support this too. It sends an AUTH parameter with the MAIL command (currently only then the username is a valid SMTP address). However, I must say, I haven't tested this recently. I can confirm that it works (only with TLS with my current configuration, see above).
I can try this in a few days. Feel free to experiment with this yourself.
Regards,
Stephan. Thanks again, Paul
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."
On Wed, 9 Jan 2019 at 13:09, Jacky <jacky@jesstech.com> wrote:
Hi Gerald,
in my postfix/main.cf
smtpd_sasl_authenticated_header = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname smtpd_sasl_type = dovecot smtpd_sasl_path = /var/run/dovecot/auth-client broken_sasl_auth_clients = yes
I am already using dovecot for SASL
The dovecot submission service authenticates users and already added the AUTH= parameter in the MAIL FROM
MAIL FROM:<jacky@xxx.com> AUTH=jacky@xxx.com SIZE=1430
But, it seems that postfix does not accept the AUTH= parameter and reject the sender as no logged in.
Best regards,
Jacky
Hi Jacky,
Your question belongs to postfix mailinng list.
Anyway, the last time I was playing with postfix (I am an Exim user normally), I had to check that: smtpd_sasl_path = /var/run/dovecot/auth-client
..the socket is readable by the postfix user:
So, check 10-master.conf for the socket. Something like:
# Postfix smtp-auth unix_listener var/run/dovecot/auth-client { mode = 0666 }
Restart dovecot and see...
You can read the https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
Hi Gerald and Odhiambo Washington,
Thank you for your suggestions and will try them out.
Best regards,
Jacky
On 9/1/2019 6:38 PM, Odhiambo Washington wrote:
On Wed, 9 Jan 2019 at 13:09, Jacky <jacky@jesstech.com <mailto:jacky@jesstech.com>> wrote:
Hi Gerald, in my postfix/main.cf <http://main.cf> smtpd_sasl_authenticated_header = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname smtpd_sasl_type = dovecot smtpd_sasl_path = /var/run/dovecot/auth-client broken_sasl_auth_clients = yes I am already using dovecot for SASL The dovecot submission service authenticates users and already added the AUTH= parameter in the MAIL FROM MAIL FROM:<jacky@xxx.com <mailto:jacky@xxx.com>> AUTH=jacky@xxx.com <mailto:jacky@xxx.com> SIZE=1430 But, it seems that postfix does not accept the AUTH= parameter and reject the sender as no logged in. Best regards, Jacky
Hi Jacky,
Your question belongs to postfix mailinng list.
Anyway, the last time I was playing with postfix (I am an Exim user normally), I had to check that: smtpd_sasl_path = /var/run/dovecot/auth-client
..the socket is readable by the postfix user:
So, check 10-master.conf for the socket. Something like:
# Postfix smtp-auth unix_listener var/run/dovecot/auth-client { mode = 0666 }
Restart dovecot and see...
You can read the https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
Hi,
Just found out that Postfix does not implement/support the AUTH=sender parameter.
So, back to Dovecot, can we use variables in the
submission_relay_user = submission_relay_password =
then Dovecot will forward the username and password information of the current user to the Postfix submission service for authentication?
Best regards,
Jacky
On 10/1/2019 10:46 AM, Jacky wrote:
Hi Gerald and Odhiambo Washington,
Thank you for your suggestions and will try them out.
Best regards,
Jacky
On 9/1/2019 6:38 PM, Odhiambo Washington wrote:
On Wed, 9 Jan 2019 at 13:09, Jacky <jacky@jesstech.com <mailto:jacky@jesstech.com>> wrote:
Hi Gerald, in my postfix/main.cf <http://main.cf> smtpd_sasl_authenticated_header = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname smtpd_sasl_type = dovecot smtpd_sasl_path = /var/run/dovecot/auth-client broken_sasl_auth_clients = yes I am already using dovecot for SASL The dovecot submission service authenticates users and already added the AUTH= parameter in the MAIL FROM MAIL FROM:<jacky@xxx.com <mailto:jacky@xxx.com>> AUTH=jacky@xxx.com <mailto:jacky@xxx.com> SIZE=1430 But, it seems that postfix does not accept the AUTH= parameter and reject the sender as no logged in. Best regards, Jacky
Hi Jacky,
Your question belongs to postfix mailinng list.
Anyway, the last time I was playing with postfix (I am an Exim user normally), I had to check that: smtpd_sasl_path = /var/run/dovecot/auth-client
..the socket is readable by the postfix user:
So, check 10-master.conf for the socket. Something like:
# Postfix smtp-auth unix_listener var/run/dovecot/auth-client { mode = 0666 }
Restart dovecot and see...
You can read the https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
Op 11/01/2019 om 02:52 schreef Jacky:
Hi,
Just found out that Postfix does not implement/support the AUTH=sender parameter.
So, back to Dovecot, can we use variables in the
submission_relay_user = submission_relay_password =
No, that is not supported. :/
then Dovecot will forward the username and password information of the current user to the Postfix submission service for authentication?
Would Postfix do something with the XCLIENT LOGIN field in that regard?
(Note that 2.3.4 messes up XCLIENT in several ways, so --- if Postfix can do this --- you'll have to wait for the next release).
Regards,
Stephan.
Best regards,
Jacky
On 10/1/2019 10:46 AM, Jacky wrote:
Hi Gerald and Odhiambo Washington,
Thank you for your suggestions and will try them out.
Best regards,
Jacky
On 9/1/2019 6:38 PM, Odhiambo Washington wrote:
On Wed, 9 Jan 2019 at 13:09, Jacky <jacky@jesstech.com <mailto:jacky@jesstech.com>> wrote:
Hi Gerald, in my postfix/main.cf <http://main.cf> smtpd_sasl_authenticated_header = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname smtpd_sasl_type = dovecot smtpd_sasl_path = /var/run/dovecot/auth-client broken_sasl_auth_clients = yes I am already using dovecot for SASL The dovecot submission service authenticates users and already added the AUTH= parameter in the MAIL FROM MAIL FROM:<jacky@xxx.com <mailto:jacky@xxx.com>> AUTH=jacky@xxx.com <mailto:jacky@xxx.com> SIZE=1430 But, it seems that postfix does not accept the AUTH= parameter and reject the sender as no logged in. Best regards, Jacky
Hi Jacky,
Your question belongs to postfix mailinng list.
Anyway, the last time I was playing with postfix (I am an Exim user normally), I had to check that: smtpd_sasl_path = /var/run/dovecot/auth-client
..the socket is readable by the postfix user:
So, check 10-master.conf for the socket. Something like:
# Postfix smtp-auth unix_listener var/run/dovecot/auth-client { mode = 0666 }
Restart dovecot and see...
You can read the https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-)
participants (5)
-
Gerald Galster
-
Jacky
-
Odhiambo Washington
-
Paul Hecker
-
Stephan Bosch