submission configuration issues

Jean-Daniel jddupas at xooloo.com
Sun Jul 28 20:56:42 EEST 2019


My configuration has 2 listeners. The default one (submission) on port 587 (which does not appear on "dovecot -n » output as it is the default)

And a second one on port 465 that is configured to use submission over TLS (note the ssl = yes in the configuration and the ’s’ at the end of the name: submissions )

According to RFC8314 (https://tools.ietf.org/html/rfc8314), this is now the recommended setting:

«  In brief, this memo now recommends that:

…

   o  Connections to Mail Submission Servers and Mail Access Servers be
      made using "Implicit TLS" (as defined below), in preference to
      connecting to the "cleartext" port and negotiating TLS using the
      STARTTLS command or a similar command.

» 



> Le 27 juil. 2019 à 22:39, Bob Gustafson via dovecot <dovecot at dovecot.org> a écrit :
> 
> service submission-login {
>   inet_listener submissions {
>     haproxy = no
>     port = 465
>     reuse_port = no
>     ssl = yes
>   }
> }
> 
> Shouldn't the port be 587 here?
> 
> My config file looks like:
> 
> service submission-login {
>   inet_listener submission {
>     #port = 587
>   }
> }
> 
> The # comment must also mean something..
> 
> On 7/27/19 3:21 PM, Jean-Daniel via dovecot wrote:
>> 
>> 
>>> Le 27 juil. 2019 à 14:30, Stephan Bosch <stephan at rename-it.nl> a écrit :
>>> 
>>> On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:
>>>> Hello,
>>>> 
>>>> I'm having trouble configuring the submission proxy.
>>>> 
>>>> I have configured the submission service as follow:
>>>> 
>>>> submission_host = smtp.example.com
>>>> submission_relay_host = localhost
>>>> submission_relay_port = 8587
>> 
>> 
>>> Le 27 juil. 2019 à 14:30, Stephan Bosch <stephan at rename-it.nl> a écrit :
>>> 
>>> On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:
>>>> Hello,
>>>> 
>>>> I'm having trouble configuring the submission proxy.
>>>> 
>>>> I have configured the submission service as follow:
>>>> 
>>>> submission_host = smtp.example.com
>>>> submission_relay_host = localhost
>>>> submission_relay_port = 8587
>>>> submission_relay_rawlog_dir = /var/log/dovecot/
>>>> submission_relay_trusted = yes
>>>> 
>>>> My main issue is that until I login, dovecot-submission won't connect to the backend and query the capabilities and so won't report the right capabilities.
>>>> 
>>>> That mean that the first EHLO message don't get the right capabilities list.
>>>> 
>>>> "
>>>> EHLO example.com
>>>> 
>>>> 250-smtp.example.com
>>>> 250-8BITMIME
>>>> 250-AUTH PLAIN LOGIN
>>>> 250-BURL imap
>>>> 250-CHUNKING
>>>> 250-ENHANCEDSTATUSCODES
>>>> 250-SIZE
>>>> 250 PIPELINING
>>>> "
>>>> 
>>>> This list don't contains VRFY, DNS, and SIZE is not specified (all of these is present in backend EHLO response).
>>>> After login, if I send an new EHLO command, everything is properly reported. The raw log shows that unlike what the documentation says,
>>>> dovecot don't try to connect to the backend until the user is properly logged.
>>>> 
>>>> In my raw log I show that after I logged in dovecot-submission, the later open a connection to the backend and send a X-CLIENT command.
>>>> 
>>>> 
>>>> Now, if I try to force the capabilities by using:
>>>> 
>>>> submission_backend_capabilities = VRFY 8BITMIME DSN
>>>> 
>>>> dovecot properly reports all SMTP capabilities in the first EHLO response, but it completely stops emitting X-CLIENT command to the backend
>>>> and try to simply forward the command without authentication, which result in postfix rejecting the command with an unauthorized user error.
>>>> 
>>>> What is wrong with my configuration ?
>>>> Thanks.
>>> 
>>> Can you send us your complete configuration (output from `dovecot -n`)?
>> 
>> Yes (see below).
>> 
>> Some additional information:
>> 
>> ===============
>> 
>> When I connect directly to dovecot-submission using nc and send an EHLO command, I got the following result (the SIZE is configured in dovecot config, that’s why it is properly announced), but no raw_log are generated at all.
>> 
>> $ nc smtp.example.com 587
>> 
>> 220 smtp.example.com Dovecot ready.
>> EHLO mydomain.com
>> 250-smtp.example.com
>> 250-8BITMIME
>> 250-AUTH 
>> 250-BURL imap
>> 250-CHUNKING
>> 250-ENHANCEDSTATUSCODES
>> 250-SIZE 41943040
>> 250-STARTTLS
>> 250 PIPELINING
>> QUIT
>> 221 2.0.0 Bye
>> 
>> ===============
>> 
>> Ditto if I use openssl s_client -starttls smtp -crlf -connect smtp.example.com:587 and send the EHLO after STARTTLS.
>> 
>> ===============
>> 
>> For the record, here is the result of a direct connect to postfix:
>> 
>> $ nc 127.0.0.1 8587
>> 220 smtp.example.com ESMTP Postfix
>> EHLO example.com
>> 250-smtp.example.com
>> 250-PIPELINING
>> 250-SIZE 41943040
>> 250-VRFY
>> 250-ETRN
>> 250-STARTTLS
>> 250-AUTH PLAIN LOGIN
>> 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT
>> 250-ENHANCEDSTATUSCODES
>> 250-8BITMIME
>> 250-DSN
>> 250 SMTPUTF8
>> 
>> ===============
>> 
>> And here is the content of the row logs when a mail is sent.
>> 
>> ======== rawlog.in
>> 
>> 1564258521.813430 220 smtp.example.com ESMTP Postfix
>> 1564258521.814206 250-smtp.example.com
>> 1564258521.814206 250-PIPELINING
>> 1564258521.814206 250-SIZE 41943040
>> 1564258521.814206 250-VRFY
>> 1564258521.814206 250-ETRN
>> 1564258521.814206 250-STARTTLS
>> 1564258521.814206 250-AUTH PLAIN LOGIN
>> 1564258521.814206 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT
>> 1564258521.814206 250-ENHANCEDSTATUSCODES
>> 1564258521.814206 250-8BITMIME
>> 1564258521.814206 250-DSN
>> 1564258521.814206 250 SMTPUTF8
>> 1564258521.848159 220 smtp.example.com ESMTP Postfix
>> 1564258521.849506 250-smtp.example.com
>> 1564258521.849506 250-PIPELINING
>> 1564258521.849506 250-SIZE 41943040
>> 1564258521.849506 250-VRFY
>> 1564258521.849506 250-ETRN
>> 1564258521.849506 250-STARTTLS
>> 1564258521.849506 250-AUTH PLAIN LOGIN
>> 1564258521.849506 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT
>> 1564258521.849506 250-ENHANCEDSTATUSCODES
>> 1564258521.849506 250-8BITMIME
>> 1564258521.849506 250-DSN
>> 1564258521.849506 250 SMTPUTF8
>> 1564258521.854093 250 2.1.0 Ok
>> 1564258521.909487 250 2.1.5 Ok
>> 1564258521.983093 354 End data with <CR><LF>.<CR><LF>
>> 1564258522.115312 250 2.0.0 Ok: queued as DDBCCD53B
>> 
>> ======== rawlog.out
>> 
>> 1564258521.813739 EHLO smtp.example.com
>> 1564258521.846054 XCLIENT HELO=[10.188.153.106] PROTO=ESMTP LOGIN=info PORT=47564 ADDR=46.193.33.66
>> 1564258521.848701 EHLO smtp.example.com
>> 1564258521.850122 MAIL FROM:<service at example.com> AUTH=info
>> 1564258521.889896 RCPT TO:<jddupas at xooloo.com>
>> 1564258521.981094 DATA
>> 1564258521.983757 Received: from [10.188.153.106] ([46.193.33.66])
>> 1564258521.983757 	by smtp.example.com with ESMTPSA
>> 1564258521.983757 	id cSDvMtmwPF14TAAABU9jsA
>> 1564258521.983757 	(envelope-from <service at example.com>)
>> 1564258521.983757 	for <jddupas at xooloo.com>; Sat, 27 Jul 2019 22:15:21 +0200
>> 1564258521.984065 From: Jean-Daniel Dupas <service at example.com>
>> 1564258521.984065 Content-Type: text/plain
>> 1564258521.984065 Content-Transfer-Encoding: 7bit
>> 1564258521.984065 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
>> 1564258521.984065 Subject: Send test
>> 1564258521.984065 Message-Id: <827EAD17-6C27-4BDF-AD94-F106E37745C1 at example.com>
>> 1564258521.984065 Date: Sat, 27 Jul 2019 22:15:19 +0200
>> 1564258521.984065 To: Jean-Daniel Dupas <jddupas at xooloo.com>
>> 1564258521.984065 X-Mailer: Apple Mail (2.3445.104.11)
>> 1564258521.984065 
>> 1564258521.984280 .
>> 1564258543.105429 QUIT
>> 
>> 
>> ================== doveconf -n
>> 
>> # 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf
>> # Pigeonhole version 0.5.7.1 (db5c74be)
>> # OS: Linux 4.15.0-55-generic x86_64 Ubuntu 18.04.2 LTS 
>> # Hostname: example.com
>> auth_mechanisms = plain login
>> auth_verbose = yes
>> hostname = smtp.example.com
>> imap_hibernate_timeout = 1 mins
>> mail_attribute_dict = file:%h/metadata
>> mail_gid = vmail
>> mail_location = mdbox:~/mail
>> mail_plugins = fts fts_xapian
>> mail_server_admin = mailto:sysadmin at example.com
>> mail_uid = vmail
>> managesieve_notify_capability = mailto
>> managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve
>> namespace inbox {
>>   inbox = yes
>>   location = 
>>   mailbox Archive {
>>     auto = subscribe
>>     special_use = \Archive
>>   }
>>   mailbox Drafts {
>>     auto = subscribe
>>     special_use = \Drafts
>>   }
>>   mailbox Junk {
>>     auto = subscribe
>>     special_use = \Junk
>>   }
>>   mailbox Sent {
>>     auto = subscribe
>>     special_use = \Sent
>>   }
>>   mailbox Trash {
>>     auto = subscribe
>>     special_use = \Trash
>>   }
>>   prefix = 
>>   separator = /
>> }
>> passdb {
>>   args = /etc/dovecot/dovecot-ldap.conf.ext
>>   driver = ldap
>> }
>> plugin {
>>   fts = xapian
>>   fts_autoindex = yes
>>   fts_autoindex_exclude = \Junk
>>   fts_autoindex_exclude2 = \Trash
>>   fts_enforced = yes
>>   fts_languages = fr en
>>   fts_xapian = partial=2 full=20
>>   imapsieve_mailbox1_before = file:/var/lib/vmail/imapsieve/learn-spam.sieve
>>   imapsieve_mailbox1_causes = COPY
>>   imapsieve_mailbox1_name = Junk
>>   imapsieve_mailbox2_before = file:/var/lib/vmail/imapsieve/learn-ham.sieve
>>   imapsieve_mailbox2_causes = COPY
>>   imapsieve_mailbox2_from = Junk
>>   imapsieve_mailbox2_name = *
>>   imapsieve_mailbox3_before = file:/var/lib/vmail/imapsieve/unflag.sieve
>>   imapsieve_mailbox3_causes = COPY
>>   imapsieve_mailbox3_name = Trash
>>   plugin = fts fts_xapian
>>   sieve = file:~/sieve;active=~/.dovecot.sieve
>>   sieve_after = /var/lib/vmail/sieve-after
>>   sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
>>   sieve_pipe_bin_dir = /var/lib/vmail/sieve-pipe
>>   sieve_plugins = sieve_imapsieve sieve_extprograms
>> }
>> postmaster_address = 
>> protocols = " imap lmtp sieve submission"
>> recipient_delimiter = -
>> service auth-worker {
>>   user = $default_internal_user
>> }
>> service auth {
>>   unix_listener /var/spool/postfix/private/auth {
>>     group = postfix
>>     mode = 0600
>>     user = postfix
>>   }
>> }
>> service doveadm {
>>   vsz_limit = 1 G
>> }
>> service imap-hibernate {
>>   unix_listener imap-hibernate {
>>     group = vmail
>>     mode = 0660
>>   }
>>   user = vmail
>> }
>> service imap-login {
>>   inet_listener imap {
>>     port = 0
>>   }
>>   inet_listener imaps {
>>     port = 993
>>   }
>>   process_min_avail = 2
>> }
>> service imap {
>>   unix_listener imap-master {
>>     user = vmail
>>   }
>> }
>> service indexer-worker {
>>   vsz_limit = 1 G
>> }
>> service lmtp {
>>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
>>     group = postfix
>>     mode = 0600
>>     user = postfix
>>   }
>> }
>> service managesieve-login {
>>   inet_listener sieve {
>>     address = localhost
>>   }
>> }
>> service submission-login {
>>   inet_listener submissions {
>>     haproxy = no
>>     port = 465
>>     reuse_port = no
>>     ssl = yes
>>   }
>> }
>> ssl_alt_cert = </var/lib/acme/imap.example.com/rsa/cert.pem
>> ssl_alt_key = # hidden, use -P to show it
>> ssl_cert = </var/lib/acme/imap.example.com/ecdsa/cert.pem
>> ssl_cipher_list = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
>> ssl_dh = # hidden, use -P to show it
>> ssl_key = # hidden, use -P to show it
>> ssl_min_protocol = TLSv1.1
>> ssl_prefer_server_ciphers = yes
>> submission_host = smtp.example.com
>> submission_max_mail_size = 40 M
>> submission_relay_host = localhost
>> submission_relay_port = 8587
>> submission_relay_trusted = yes
>> userdb {
>>   driver = prefetch
>> }
>> userdb {
>>   args = /etc/dovecot/dovecot-ldap.conf.ext
>>   driver = ldap
>> }
>> protocol lmtp {
>>   mail_plugins = fts fts_xapian sieve
>> }
>> protocol imap {
>>   imap_metadata = yes
>>   mail_max_userip_connections = 25
>>   mail_plugins = fts fts_xapian imap_zlib imap_sieve
>>   namespace inbox {
>>     location = 
>>     mailbox Junk {
>>       autoexpunge = 30 days
>>     }
>>     mailbox Trash {
>>       autoexpunge = 30 days
>>     }
>>     prefix = 
>>   }
>> }
>>>> submission_relay_rawlog_dir = /var/log/dovecot/
>>>> submission_relay_trusted = yes
>>>> 
>>>> My main issue is that until I login, dovecot-submission won't connect to the backend and query the capabilities and so won't report the right capabilities.
>>>> 
>>>> That mean that the first EHLO message don't get the right capabilities list.
>>>> 
>>>> "
>>>> EHLO example.com
>>>> 
>>>> 250-smtp.example.com
>>>> 250-8BITMIME
>>>> 250-AUTH PLAIN LOGIN
>>>> 250-BURL imap
>>>> 250-CHUNKING
>>>> 250-ENHANCEDSTATUSCODES
>>>> 250-SIZE
>>>> 250 PIPELINING
>>>> "
>>>> 
>>>> This list don't contains VRFY, DNS, and SIZE is not specified (all of these is present in backend EHLO response).
>>>> After login, if I send an new EHLO command, everything is properly reported. The raw log shows that unlike what the documentation says,
>>>> dovecot don't try to connect to the backend until the user is properly logged.
>>>> 
>>>> In my raw log I show that after I logged in dovecot-submission, the later open a connection to the backend and send a X-CLIENT command.
>>>> 
>>>> 
>>>> Now, if I try to force the capabilities by using:
>>>> 
>>>> submission_backend_capabilities = VRFY 8BITMIME DSN
>>>> 
>>>> dovecot properly reports all SMTP capabilities in the first EHLO response, but it completely stops emitting X-CLIENT command to the backend
>>>> and try to simply forward the command without authentication, which result in postfix rejecting the command with an unauthorized user error.
>>>> 
>>>> What is wrong with my configuration ?
>>>> Thanks.
>>> 
>>> Can you send us your complete configuration (output from `dovecot -n`)?
>>> 
>>> Regards,
>>> 
>>> Stephan.
>> 



More information about the dovecot mailing list