submission configuration issues

Bob Gustafson bobgus at rcn.com
Sat Jul 27 23:39:39 EEST 2019


service submission-login {
   inet_listener submissions {
     haproxy = no
     port = 465
     reuse_port = no
     ssl = yes
   }
}

Shouldn't the port be 587 here?

My config file looks like:

service submission-login {
   inet_listener submission {
     #port = 587
   }
}

The # comment must also mean something..

On 7/27/19 3:21 PM, Jean-Daniel via dovecot wrote:
>
>
>> Le 27 juil. 2019 à 14:30, Stephan Bosch <stephan at rename-it.nl 
>> <mailto:stephan at rename-it.nl>> a écrit :
>>
>> On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:
>>> Hello,
>>>
>>> I'm having trouble configuring the submission proxy.
>>>
>>> I have configured the submission service as follow:
>>>
>>> submission_host = smtp.example.com <http://smtp.example.com>
>>> submission_relay_host = localhost
>>> submission_relay_port = 8587
>
>
>> Le 27 juil. 2019 à 14:30, Stephan Bosch <stephan at rename-it.nl 
>> <mailto:stephan at rename-it.nl>> a écrit :
>>
>> On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:
>>> Hello,
>>>
>>> I'm having trouble configuring the submission proxy.
>>>
>>> I have configured the submission service as follow:
>>>
>>> submission_host = smtp.example.com <http://smtp.example.com>
>>> submission_relay_host = localhost
>>> submission_relay_port = 8587
>>> submission_relay_rawlog_dir = /var/log/dovecot/
>>> submission_relay_trusted = yes
>>>
>>> My main issue is that until I login, dovecot-submission won't 
>>> connect to the backend and query the capabilities and so won't 
>>> report the right capabilities.
>>>
>>> That mean that the first EHLO message don't get the right 
>>> capabilities list.
>>>
>>> "
>>> EHLO example.com <http://example.com>
>>>
>>> 250-smtp.example.com <http://250-smtp.example.com>
>>> 250-8BITMIME
>>> 250-AUTH PLAIN LOGIN
>>> 250-BURL imap
>>> 250-CHUNKING
>>> 250-ENHANCEDSTATUSCODES
>>> 250-SIZE
>>> 250 PIPELINING
>>> "
>>>
>>> This list don't contains VRFY, DNS, and SIZE is not specified (all 
>>> of these is present in backend EHLO response).
>>> After login, if I send an new EHLO command, everything is properly 
>>> reported. The raw log shows that unlike what the documentation says,
>>> dovecot don't try to connect to the backend until the user is 
>>> properly logged.
>>>
>>> In my raw log I show that after I logged in dovecot-submission, the 
>>> later open a connection to the backend and send a X-CLIENT command.
>>>
>>>
>>> Now, if I try to force the capabilities by using:
>>>
>>> submission_backend_capabilities = VRFY 8BITMIME DSN
>>>
>>> dovecot properly reports all SMTP capabilities in the first EHLO 
>>> response, but it completely stops emitting X-CLIENT command to the 
>>> backend
>>> and try to simply forward the command without authentication, which 
>>> result in postfix rejecting the command with an unauthorized user error.
>>>
>>> What is wrong with my configuration ?
>>> Thanks.
>>
>> Can you send us your complete configuration (output from `dovecot -n`)?
>
> Yes (see below).
>
> Some additional information:
>
> ===============
>
> When I connect directly to dovecot-submission using nc and send an 
> EHLO command, I got the following result (the SIZE is configured in 
> dovecot config, that’s why it is properly announced), but no raw_log 
> are generated at all.
>
> $ nc smtp.example.com <http://smtp.example.com> 587
>
> 220 smtp.example.com <http://smtp.example.com> Dovecot ready.
> EHLO mydomain.com <http://mydomain.com>
> 250-smtp.example.com <http://250-smtp.example.com>
> 250-8BITMIME
> 250-AUTH
> 250-BURL imap
> 250-CHUNKING
> 250-ENHANCEDSTATUSCODES
> 250-SIZE 41943040
> 250-STARTTLS
> 250 PIPELINING
> QUIT
> 221 2.0.0 Bye
>
> ===============
>
> Ditto if I use openssl s_client -starttls smtp -crlf -connect 
> smtp.example.com:587 <http://smtp.example.com:587> and send the EHLO 
> after STARTTLS.
>
> ===============
>
> For the record, here is the result of a direct connect to postfix:
>
> $ nc 127.0.0.1 8587
> 220 smtp.example.com <http://smtp.example.com> ESMTP Postfix
> EHLO example.com <http://example.com>
> 250-smtp.example.com <http://250-smtp.example.com>
> 250-PIPELINING
> 250-SIZE 41943040
> 250-VRFY
> 250-ETRN
> 250-STARTTLS
> 250-AUTH PLAIN LOGIN
> 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250-DSN
> 250 SMTPUTF8
>
> ===============
>
> And here is the content of the row logs when a mail is sent.
>
> ======== rawlog.in <http://rawlog.in>
>
> 1564258521.813430 220 smtp.example.com <http://smtp.example.com> ESMTP 
> Postfix
> 1564258521.814206 250-smtp.example.com <http://250-smtp.example.com>
> 1564258521.814206 250-PIPELINING
> 1564258521.814206 250-SIZE 41943040
> 1564258521.814206 250-VRFY
> 1564258521.814206 250-ETRN
> 1564258521.814206 250-STARTTLS
> 1564258521.814206 250-AUTH PLAIN LOGIN
> 1564258521.814206 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT 
> LOGIN DESTADDR DESTPORT
> 1564258521.814206 250-ENHANCEDSTATUSCODES
> 1564258521.814206 250-8BITMIME
> 1564258521.814206 250-DSN
> 1564258521.814206 250 SMTPUTF8
> 1564258521.848159 220 smtp.example.com <http://smtp.example.com> ESMTP 
> Postfix
> 1564258521.849506 250-smtp.example.com <http://250-smtp.example.com>
> 1564258521.849506 250-PIPELINING
> 1564258521.849506 250-SIZE 41943040
> 1564258521.849506 250-VRFY
> 1564258521.849506 250-ETRN
> 1564258521.849506 250-STARTTLS
> 1564258521.849506 250-AUTH PLAIN LOGIN
> 1564258521.849506 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT 
> LOGIN DESTADDR DESTPORT
> 1564258521.849506 250-ENHANCEDSTATUSCODES
> 1564258521.849506 250-8BITMIME
> 1564258521.849506 250-DSN
> 1564258521.849506 250 SMTPUTF8
> 1564258521.854093 250 2.1.0 Ok
> 1564258521.909487 250 2.1.5 Ok
> 1564258521.983093 354 End data with <CR><LF>.<CR><LF>
> 1564258522.115312 250 2.0.0 Ok: queued as DDBCCD53B
>
> ======== rawlog.out
>
> 1564258521.813739 EHLO smtp.example.com <http://smtp.example.com>
> 1564258521.846054 XCLIENT HELO=[10.188.153.106] PROTO=ESMTP LOGIN=info 
> PORT=47564 ADDR=46.193.33.66
> 1564258521.848701 EHLO smtp.example.com <http://smtp.example.com>
> 1564258521.850122 MAIL FROM:<service at example.com 
> <mailto:service at example.com>> AUTH=info
> 1564258521.889896 RCPT TO:<jddupas at xooloo.com <mailto:jddupas at xooloo.com>>
> 1564258521.981094 DATA
> 1564258521.983757 Received: from [10.188.153.106] ([46.193.33.66])
> 1564258521.983757 by smtp.example.com <http://smtp.example.com> with 
> ESMTPSA
> 1564258521.983757 id cSDvMtmwPF14TAAABU9jsA
> 1564258521.983757 (envelope-from <service at example.com 
> <mailto:service at example.com>>)
> 1564258521.983757 for <jddupas at xooloo.com 
> <mailto:jddupas at xooloo.com>>; Sat, 27 Jul 2019 22:15:21 +0200
> 1564258521.984065 From: Jean-Daniel Dupas <service at example.com 
> <mailto:service at example.com>>
> 1564258521.984065 Content-Type: text/plain
> 1564258521.984065 Content-Transfer-Encoding: 7bit
> 1564258521.984065 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
> 1564258521.984065 Subject: Send test
> 1564258521.984065 Message-Id: 
> <827EAD17-6C27-4BDF-AD94-F106E37745C1 at example.com 
> <mailto:827EAD17-6C27-4BDF-AD94-F106E37745C1 at example.com>>
> 1564258521.984065 Date: Sat, 27 Jul 2019 22:15:19 +0200
> 1564258521.984065 To: Jean-Daniel Dupas <jddupas at xooloo.com 
> <mailto:jddupas at xooloo.com>>
> 1564258521.984065 X-Mailer: Apple Mail (2.3445.104.11)
> 1564258521.984065
> 1564258521.984280 .
> 1564258543.105429 QUIT
>
>
> ================== doveconf -n
>
> # 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.5.7.1 (db5c74be)
> # OS: Linux 4.15.0-55-generic x86_64 Ubuntu 18.04.2 LTS
> # Hostname: example.com <http://example.com>
> auth_mechanisms = plain login
> auth_verbose = yes
> hostname = smtp.example.com <http://smtp.example.com>
> imap_hibernate_timeout = 1 mins
> mail_attribute_dict = file:%h/metadata
> mail_gid = vmail
> mail_location = mdbox:~/mail
> mail_plugins = fts fts_xapian
> mail_server_admin = mailto:sysadmin at example.com
> mail_uid = vmail
> managesieve_notify_capability = mailto
> managesieve_sieve_capability = fileinto reject envelope 
> encoded-character vacation subaddress comparator-i;ascii-numeric 
> relational regex imap4flags copy include variables body enotify 
> environment mailbox date index ihave duplicate mime foreverypart 
> extracttext imapsieve vnd.dovecot.imapsieve
> namespace inbox {
>   inbox = yes
>   location =
>   mailbox Archive {
>     auto = subscribe
>     special_use = \Archive
>   }
>   mailbox Drafts {
>     auto = subscribe
>     special_use = \Drafts
>   }
>   mailbox Junk {
>     auto = subscribe
>     special_use = \Junk
>   }
>   mailbox Sent {
>     auto = subscribe
>     special_use = \Sent
>   }
>   mailbox Trash {
>     auto = subscribe
>     special_use = \Trash
>   }
>   prefix =
>   separator = /
> }
> passdb {
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>   driver = ldap
> }
> plugin {
>   fts = xapian
>   fts_autoindex = yes
>   fts_autoindex_exclude = \Junk
>   fts_autoindex_exclude2 = \Trash
>   fts_enforced = yes
>   fts_languages = fr en
>   fts_xapian = partial=2 full=20
>   imapsieve_mailbox1_before = 
> file:/var/lib/vmail/imapsieve/learn-spam.sieve
>   imapsieve_mailbox1_causes = COPY
>   imapsieve_mailbox1_name = Junk
>   imapsieve_mailbox2_before = 
> file:/var/lib/vmail/imapsieve/learn-ham.sieve
>   imapsieve_mailbox2_causes = COPY
>   imapsieve_mailbox2_from = Junk
>   imapsieve_mailbox2_name = *
>   imapsieve_mailbox3_before = file:/var/lib/vmail/imapsieve/unflag.sieve
>   imapsieve_mailbox3_causes = COPY
>   imapsieve_mailbox3_name = Trash
>   plugin = fts fts_xapian
>   sieve = file:~/sieve;active=~/.dovecot.sieve
>   sieve_after = /var/lib/vmail/sieve-after
>   sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
>   sieve_pipe_bin_dir = /var/lib/vmail/sieve-pipe
>   sieve_plugins = sieve_imapsieve sieve_extprograms
> }
> postmaster_address =
> protocols = " imap lmtp sieve submission"
> recipient_delimiter = -
> service auth-worker {
>   user = $default_internal_user
> }
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
>     group = postfix
>     mode = 0600
>     user = postfix
>   }
> }
> service doveadm {
>   vsz_limit = 1 G
> }
> service imap-hibernate {
>   unix_listener imap-hibernate {
>     group = vmail
>     mode = 0660
>   }
>   user = vmail
> }
> service imap-login {
>   inet_listener imap {
>     port = 0
>   }
>   inet_listener imaps {
>     port = 993
>   }
>   process_min_avail = 2
> }
> service imap {
>   unix_listener imap-master {
>     user = vmail
>   }
> }
> service indexer-worker {
>   vsz_limit = 1 G
> }
> service lmtp {
>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
>     group = postfix
>     mode = 0600
>     user = postfix
>   }
> }
> service managesieve-login {
>   inet_listener sieve {
>     address = localhost
>   }
> }
> service submission-login {
>   inet_listener submissions {
>     haproxy = no
>     port = 465
>     reuse_port = no
>     ssl = yes
>   }
> }
> ssl_alt_cert = </var/lib/acme/imap.example.com/rsa/cert.pem 
> <http://imap.example.com/rsa/cert.pem>
> ssl_alt_key = # hidden, use -P to show it
> ssl_cert = </var/lib/acme/imap.example.com/ecdsa/cert.pem 
> <http://imap.example.com/ecdsa/cert.pem>
> ssl_cipher_list = 
> TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
> ssl_dh = # hidden, use -P to show it
> ssl_key = # hidden, use -P to show it
> ssl_min_protocol = TLSv1.1
> ssl_prefer_server_ciphers = yes
> submission_host = smtp.example.com <http://smtp.example.com>
> submission_max_mail_size = 40 M
> submission_relay_host = localhost
> submission_relay_port = 8587
> submission_relay_trusted = yes
> userdb {
>   driver = prefetch
> }
> userdb {
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>   driver = ldap
> }
> protocol lmtp {
>   mail_plugins = fts fts_xapian sieve
> }
> protocol imap {
>   imap_metadata = yes
>   mail_max_userip_connections = 25
>   mail_plugins = fts fts_xapian imap_zlib imap_sieve
>   namespace inbox {
>     location =
>     mailbox Junk {
>       autoexpunge = 30 days
>     }
>     mailbox Trash {
>       autoexpunge = 30 days
>     }
>     prefix =
>   }
> }
>>> submission_relay_rawlog_dir = /var/log/dovecot/
>>> submission_relay_trusted = yes
>>>
>>> My main issue is that until I login, dovecot-submission won't 
>>> connect to the backend and query the capabilities and so won't 
>>> report the right capabilities.
>>>
>>> That mean that the first EHLO message don't get the right 
>>> capabilities list.
>>>
>>> "
>>> EHLO example.com <http://example.com>
>>>
>>> 250-smtp.example.com <http://250-smtp.example.com>
>>> 250-8BITMIME
>>> 250-AUTH PLAIN LOGIN
>>> 250-BURL imap
>>> 250-CHUNKING
>>> 250-ENHANCEDSTATUSCODES
>>> 250-SIZE
>>> 250 PIPELINING
>>> "
>>>
>>> This list don't contains VRFY, DNS, and SIZE is not specified (all 
>>> of these is present in backend EHLO response).
>>> After login, if I send an new EHLO command, everything is properly 
>>> reported. The raw log shows that unlike what the documentation says,
>>> dovecot don't try to connect to the backend until the user is 
>>> properly logged.
>>>
>>> In my raw log I show that after I logged in dovecot-submission, the 
>>> later open a connection to the backend and send a X-CLIENT command.
>>>
>>>
>>> Now, if I try to force the capabilities by using:
>>>
>>> submission_backend_capabilities = VRFY 8BITMIME DSN
>>>
>>> dovecot properly reports all SMTP capabilities in the first EHLO 
>>> response, but it completely stops emitting X-CLIENT command to the 
>>> backend
>>> and try to simply forward the command without authentication, which 
>>> result in postfix rejecting the command with an unauthorized user error.
>>>
>>> What is wrong with my configuration ?
>>> Thanks.
>>
>> Can you send us your complete configuration (output from `dovecot -n`)?
>>
>> Regards,
>>
>> Stephan.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190727/918441ec/attachment-0001.html>


More information about the dovecot mailing list