Dovecot Submission Proxy Auth

Jacky jacky at jesstech.com
Wed Jan 9 12:08:57 EET 2019 

Hi Gerald,

in my postfix/main.cf

smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/run/dovecot/auth-client
broken_sasl_auth_clients = yes

I am already using dovecot for SASL

The dovecot submission service authenticates users and already added the 
AUTH= parameter in the MAIL FROM

MAIL FROM:<jacky at xxx.com> AUTH=jacky at xxx.com SIZE=1430

But, it seems that postfix does not accept the AUTH= parameter and 
reject the sender as no logged in.


Best regards,

Jacky



On 9/1/2019 5:49 PM, Gerald Galster wrote:
> Hi Jacky,
>
> in postfix/main.cf you typically set something like
>
> smtpd_sasl_auth_enable=yes
> smtpd_sasl_type=cyrus
> smtpd_sasl_exceptions_networks=$mynetworks
> smtpd_sasl_security_options=noanonymous
> smtpd_sasl_authenticated_header=yes
> broken_sasl_auth_clients=yes
> smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
>
> smtpd_recipient_restrictions might already exist in main.cf and in that case has to be extended
>
> postfix can verify login/passwords via sasl but it does not store these credentials, so you need to install saslauthd and add user/pass there or use a dovecot instance that already authenticates users for pop/imap.
>
> http://www.postfix.org/SASL_README.html
> https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL
>
> Best regards
> Gerald
>
>> Am 09.01.2019 um 10:15 schrieb Jacky <jacky at jesstech.com>:
>>
>> Hi,
>>
>> Anyone know how to enable this SMTP AUTH feature with Postfix?
>>
>> Regards,
>>
>> Jacky
>>
>>
>> On 7/4/2018 3:40 AM, Paul Hecker wrote:
>>> Hi,
>>>
>>>> On 6. Apr 2018, at 18:58, Odhiambo Washington <odhiambo at gmail.com> wrote:
>>>>
>>>> Hi Paul,
>>>>
>>>> Care to share your config (even OFFLIST) that has successfully integrated Dovecot Submission service with Exim??
>>> here the steps I have done to integrate Dovecot submission in Exim:
>>>
>>> - Create and set the acl_smtp_mailauth ACL:
>>>
>>> acl_smtp_mailauth = acl_check_mailauth
>>>
>>> acl_check_mailauth:
>>>    accept
>>>      hosts          = <; 127.0.0.1 ; ::1
>>>      condition      = ${if eq{$interface_port}{10025}}
>>>      log_message    = Will accept MAIL AUTH parameter for $authenticated_sender
>>>         deny
>>>
>>>
>>> - add a deny fo all connections to 10025 without MAIL AUTH parameter in acl_smtp_mail ACL:
>>>
>>>    deny
>>>      condition      = ${if eq{$interface_port}{10025}}
>>>      condition      = ${if eq{$authenticated_sender}{}}
>>>      message        = All connections on port $interface_port need MAIL AUTH sender
>>>
>>> - in Dovecot, add the following submission parameters
>>>
>>> submission_relay_port = 10025
>>> submission_relay_ssl = starttls
>>> submission_relay_ssl_verify = no
>>>
>>> All the remaining parts of the Dovecot config is the default for submission protocol/service, copied either from the sources (default config) or from here:
>>>
>>> https://wiki.dovecot.org/Submission
>>>
>>> Feel free is you have any further questions.
>>>
>>> Regards,
>>> Paul
>>>
>>>
>>>> I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this.
>>>>
>>>> Thanks in advance.
>>>>
>>>>
>>>> On 6 April 2018 at 19:15, Paul Hecker <paul at iwascoding.com> wrote:
>>>> Hi,
>>>>
>>>> Thanks you very much. This did the trick!
>>>>
>>>>> On 6. Apr 2018, at 15:56, Stephan Bosch <stephan at rename-it.nl> wrote:
>>>>>
>>>>>
>>>>>
>>>>> Op 6-4-2018 om 13:52 schreef Paul Hecker:
>>>>>> Hi,
>>>>>>
>>>>>> Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) authentication to the SMTP server using submission. Reason why I need it is sender spoofing (do not want my employees to send messages in behalf of me).
>>>>>>
>>>>>> In exim I can disable sender spoofing with the authenticated user. When sending through dovecot, exim either does not accept the email (need auth) or relay every sender address (because relaying from localhost).
>>>>>>
>>>>>> Am I missing a setting or do I need any additional field in the (MySQL) user_query/password_query to forward the password?
>>>>>>
>>>>>> You can find my config here:
>>>>>>
>>>>>> https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8
>>>>> That would be possible using the following SMTP AUTH feature:
>>>>>
>>>>> https://tools.ietf.org/html/rfc4954#section-5
>>>>>
>>>>> Which is apparently supported by Exim: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html#SECTauthparamail
>>>>> This requires explicit configuration, so it will not work out of the box.
>>>> Here is what I did:
>>>>
>>>> I had to add the acl_smtp_mailauth to only allow this on a certain port. Then I had to duplicate my code for sender spoofing for authenticated users and change the $authenticated_id -> $authenticated_sender.
>>>>
>>>> Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually sends the MAIL AUTH parameter.
>>>>
>>>>> The Dovecot Submission service should support this too. It sends an AUTH parameter with the MAIL command (currently only then the username is a valid SMTP address). However, I must say, I haven't tested this recently.
>>>> I can confirm that it works (only with TLS with my current configuration, see above).
>>>>
>>>>> I can try this in a few days. Feel free to experiment with this yourself.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Stephan.
>>>> Thanks again,
>>>> Paul
>>>>
>>>>
>>>>
>>>>
>>>> -- 
>>>> Best regards,
>>>> Odhiambo WASHINGTON,
>>>> Nairobi,KE
>>>> +254 7 3200 0004/+254 7 2274 3223
>>>> "Oh, the cruft."

More information about the dovecot mailing list