Submission service and SMTP AUTH capability
Germán Herrera
g.herrera at ses.com.ar
Fri Jun 21 17:40:28 EEST 2019
Hi Christian, first of all I appreciate your quick answer.
You are correct, if I "openssl -starttls smtp -connect <host>:<port>" I
notice the AUTH capability is published, so that explains why the
clients that I configure with STARTTLS are able to find out the AUTH
mechanisms and authenticate correctly.
I also found out that the AUTH is shown before entering STARTTLS if I
set "ssl = yes", but the capability is hidden from pre-starttls EHLO if
I do enforce SSL with "ssl = required", which is my server
configuration.
That is an strange behavior for me, but I can deal with it now that I
know how it works.
Thanks for your help, and best regards!!
German
On 2019-06-21 11:05, Christian Kivalo via dovecot wrote:
> On June 21, 2019 3:13:59 PM GMT+02:00, "Germán Herrera via dovecot"
> <dovecot at dovecot.org> wrote:
>> Hi Everyone!
>>
>> I've setup dovecot 2.3.2.1 on a Gentoo server. I want to configure the
>> submission service in order to replace the corresponding part in
>> Postfix
>> (which is my SMTP server).
>> I configured submission it with just a few options different of the
>> default ones:
>>
>> submission_client_workarounds = whitespace-before-path
>> submission_relay_host = 127.0.0.1
>> submission_relay_port = 10026
>> submission_relay_trusted = yes
>>
>> The issue I'm having is that the SMTP AUTH is enforced and performed
>> correctly, but it doesn't get published on the server capaabilities
>> when
>> the connection doesn't come from localhost. This causes issues with
>> some
>> smtp clients which authenticate (python smtpclient).
>>
>> When I telnet the submission service from localhost I get:
>>
>> 220 (protected hostname) Dovecot ready.
>> EHLO L
>> 250-(protected hostname)
>> 250-8BITMIME
>> 250-AUTH PLAIN LOGIN
>> 250-BURL imap
>> 250-CHUNKING
>> 250-ENHANCEDSTATUSCODES
>> 250-SIZE
>> 250-STARTTLS
>> 250 PIPELINING
>> quit
>> 221 2.0.0 Bye
>>
>> But when I do the same from another host other than the one running
>> dovecot (telnetting the submission port):
>>
>> 220 (protected hostname) Dovecot ready.
>> EHLO L
>> 250-(protected hostname)
>> 250-8BITMIME
>> 250-BURL imap
>> 250-CHUNKING
>> 250-ENHANCEDSTATUSCODES
>> 250-SIZE
>> 250-STARTTLS
>> 250 PIPELINING
>> quit
>> 221 2.0.0 Bye
>>
>> As you can see, the AUTH capability is not there.
>> Do you know what could be causing this issue? Your help is much
>> appreciated!
>> German
> Maybe you need to start tls before auth will be offered as localhost
> most often is whitelisted from the need for auth. Have you tried with
> openssl s_client to start TLS and see if auth is offered then?
More information about the dovecot
mailing list