Submission service, XCLIENT and HELO

Riccardo Alfieri riccardo.alfieri at spamteq.com
Tue Feb 4 22:48:36 EET 2020 

Hello,

I'm using version 2.3.4.1 and I have a fairly simple setup based on a 
submission server where I run dovecot and a relay server with postfix. 
The relevant part of dovecot's config is as follows (sanitized):

hostname = submission.domain.local submission_client_workarounds = 
whitespace-before-path submission_relay_host = 192.168.1.1 <- postfix 
submission_relay_port = 25 submission_relay_trusted = yes

Postfix is configured as follows:

smtpd_authorized_xclient_hosts = 192.168.1.2 <- submission server

Everything apparently works as expected, meaning that I can correctly 
authenticate on the submission server and the email is relayed to 
postfix, where I can see the original MUA's IP correctly logged.

There is, however, a little problem with the client HELO string that is 
not being forwarded to postfix. Instead of having the MUA HELO, I see 
the submission server HELO, as shown in the following tcpdump taken on 
the postfix server:

220 postfix.domain.local ESMTP Postfix (Ubuntu) EHLO 
submission.domain.local 250-postfix.domain.local 250-PIPELINING 250-SIZE 
10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH DIGEST-MD5 CRAM-MD5 
NTLM PLAIN LOGIN 250-AUTH=DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN 
250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR 
DESTPORT 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 SMTPUTF8 
XCLIENT ADDR=192.168.1.3 PORT=57116 LOGIN=riccardo-at-domain.local 220 
postfix.domain.local ESMTP Postfix (Ubuntu) EHLO submission.domain.local 
250-postfix.domain.local 250-PIPELINING ...

As you can see the first EHLO is correctly done with the submission 
server's hostname, but the subsequent one after XCLIENT is -still- the 
same hostname, while I was expecting that to be the one forwarded from 
the MUA, or possibly a "HELO=somethingelse" in the XCLIENT line.

I've looked almost everywhere and I couldn't find a way to make dovecot 
use the MUA's HELO string. The question I'm asking is if there is a way 
to have the MUA's HELO forwarded to the relay server in some way, or if 
this is a bug or an expected behaviour.

Thanks for any help you could give

-- 
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaustech.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20200204/8cbda4e0/attachment.html>

More information about the dovecot mailing list