Dovecot Submission Proxy Auth

Gerald Galster list+dovecot at gcore.biz
Wed Jan 9 12:33:05 EET 2019 

Hi Jacky,

if postfix did not log a specific error to your maillog you could change smtpd to smtpd -v in master.cf to get more debug output or use debug_peer_list to see what smtp commands are sent:

http://www.postfix.org/DEBUG_README.html

Typically smtp auth looks like this:

S: 220 smtp.example.com ESMTP server ready
C: EHLO jgm.example.com
S: 250-smtp.example.com
S: 250 AUTH CRAM-MD5 DIGEST-MD5
C: AUTH FOOBAR
S: 504 Unrecognized authentication type.

or

C: AUTH CRAM-MD5
S: 334
PENCeUxFREJoU0NnbmhNWitOMjNGNndAZWx3b29kLmlubm9zb2Z0LmNvbT4=
C: ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg2ZQ==
S: 235 Authentication successful.

C = client, S = server

Depending on your setup the password (maybe base64 encoded) or hash must also be sent for verification.

Or you could try to authenticate with a master user for all connections by setting

submission_relay_master_user =
submission_relay_password =

in dovecot, see https://wiki.dovecot.org/Submission

Best regards
Gerald



> Am 09.01.2019 um 11:08 schrieb Jacky <jacky at jesstech.com>:
> 
> Hi Gerald,
> 
> in my postfix/main.cf
> 
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_type = dovecot
> smtpd_sasl_path = /var/run/dovecot/auth-client
> broken_sasl_auth_clients = yes
> 
> I am already using dovecot for SASL
> 
> The dovecot submission service authenticates users and already added the AUTH= parameter in the MAIL FROM
> 
> MAIL FROM:<jacky at xxx.com> AUTH=jacky at xxx.com SIZE=1430
> 
> But, it seems that postfix does not accept the AUTH= parameter and reject the sender as no logged in.
> 
> 
> Best regards,
> 
> Jacky
> 
> 
> 
> On 9/1/2019 5:49 PM, Gerald Galster wrote:
>> Hi Jacky,
>> 
>> in postfix/main.cf you typically set something like
>> 
>> smtpd_sasl_auth_enable=yes
>> smtpd_sasl_type=cyrus
>> smtpd_sasl_exceptions_networks=$mynetworks
>> smtpd_sasl_security_options=noanonymous
>> smtpd_sasl_authenticated_header=yes
>> broken_sasl_auth_clients=yes
>> smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
>> 
>> smtpd_recipient_restrictions might already exist in main.cf and in that case has to be extended
>> 
>> postfix can verify login/passwords via sasl but it does not store these credentials, so you need to install saslauthd and add user/pass there or use a dovecot instance that already authenticates users for pop/imap.
>> 
>> http://www.postfix.org/SASL_README.html
>> https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL
>> 
>> Best regards
>> Gerald
>> 
>>> Am 09.01.2019 um 10:15 schrieb Jacky <jacky at jesstech.com>:
>>> 
>>> Hi,
>>> 
>>> Anyone know how to enable this SMTP AUTH feature with Postfix?
>>> 
>>> Regards,
>>> 
>>> Jacky
>>> 
>>> 
>>> On 7/4/2018 3:40 AM, Paul Hecker wrote:
>>>> Hi,
>>>> 
>>>>> On 6. Apr 2018, at 18:58, Odhiambo Washington <odhiambo at gmail.com> wrote:
>>>>> 
>>>>> Hi Paul,
>>>>> 
>>>>> Care to share your config (even OFFLIST) that has successfully integrated Dovecot Submission service with Exim??
>>>> here the steps I have done to integrate Dovecot submission in Exim:
>>>> 
>>>> - Create and set the acl_smtp_mailauth ACL:
>>>> 
>>>> acl_smtp_mailauth = acl_check_mailauth
>>>> 
>>>> acl_check_mailauth:
>>>>   accept
>>>>     hosts          = <; 127.0.0.1 ; ::1
>>>>     condition      = ${if eq{$interface_port}{10025}}
>>>>     log_message    = Will accept MAIL AUTH parameter for $authenticated_sender
>>>>        deny
>>>> 
>>>> 
>>>> - add a deny fo all connections to 10025 without MAIL AUTH parameter in acl_smtp_mail ACL:
>>>> 
>>>>   deny
>>>>     condition      = ${if eq{$interface_port}{10025}}
>>>>     condition      = ${if eq{$authenticated_sender}{}}
>>>>     message        = All connections on port $interface_port need MAIL AUTH sender
>>>> 
>>>> - in Dovecot, add the following submission parameters
>>>> 
>>>> submission_relay_port = 10025
>>>> submission_relay_ssl = starttls
>>>> submission_relay_ssl_verify = no
>>>> 
>>>> All the remaining parts of the Dovecot config is the default for submission protocol/service, copied either from the sources (default config) or from here:
>>>> 
>>>> https://wiki.dovecot.org/Submission
>>>> 
>>>> Feel free is you have any further questions.
>>>> 
>>>> Regards,
>>>> Paul
>>>> 
>>>> 
>>>>> I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this.
>>>>> 
>>>>> Thanks in advance.
>>>>> 
>>>>> 
>>>>> On 6 April 2018 at 19:15, Paul Hecker <paul at iwascoding.com> wrote:
>>>>> Hi,
>>>>> 
>>>>> Thanks you very much. This did the trick!
>>>>> 
>>>>>> On 6. Apr 2018, at 15:56, Stephan Bosch <stephan at rename-it.nl> wrote:
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Op 6-4-2018 om 13:52 schreef Paul Hecker:
>>>>>>> Hi,
>>>>>>> 
>>>>>>> Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) authentication to the SMTP server using submission. Reason why I need it is sender spoofing (do not want my employees to send messages in behalf of me).
>>>>>>> 
>>>>>>> In exim I can disable sender spoofing with the authenticated user. When sending through dovecot, exim either does not accept the email (need auth) or relay every sender address (because relaying from localhost).
>>>>>>> 
>>>>>>> Am I missing a setting or do I need any additional field in the (MySQL) user_query/password_query to forward the password?
>>>>>>> 
>>>>>>> You can find my config here:
>>>>>>> 
>>>>>>> https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8
>>>>>> That would be possible using the following SMTP AUTH feature:
>>>>>> 
>>>>>> https://tools.ietf.org/html/rfc4954#section-5
>>>>>> 
>>>>>> Which is apparently supported by Exim: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html#SECTauthparamail
>>>>>> This requires explicit configuration, so it will not work out of the box.
>>>>> Here is what I did:
>>>>> 
>>>>> I had to add the acl_smtp_mailauth to only allow this on a certain port. Then I had to duplicate my code for sender spoofing for authenticated users and change the $authenticated_id -> $authenticated_sender.
>>>>> 
>>>>> Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually sends the MAIL AUTH parameter.
>>>>> 
>>>>>> The Dovecot Submission service should support this too. It sends an AUTH parameter with the MAIL command (currently only then the username is a valid SMTP address). However, I must say, I haven't tested this recently.
>>>>> I can confirm that it works (only with TLS with my current configuration, see above).
>>>>> 
>>>>>> I can try this in a few days. Feel free to experiment with this yourself.
>>>>>> 
>>>>>> Regards,
>>>>>> 
>>>>>> Stephan.
>>>>> Thanks again,
>>>>> Paul
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> -- 
>>>>> Best regards,
>>>>> Odhiambo WASHINGTON,
>>>>> Nairobi,KE
>>>>> +254 7 3200 0004/+254 7 2274 3223
>>>>> "Oh, the cruft."

More information about the dovecot mailing list