<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=koi8-r">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;" class="elementToProof">> There is no way for a forwarded email to SASL authenticate because
no one is logged in or involved in the process of LMTP receiving mail for delivery from "the world". How is the MTA supposed to know the SASL password for staff@work.com?</span></div>
<div class="elementToProof"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;" class="elementToProof"><br>
</span></div>
<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;">dovecot auth with "master user" when sending emails via sumbission_host</span><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;">;</span><br>
</div>
<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;">postfix:</span></div>
<div class="elementToProof"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;">1. using
</span><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;">smtpd_sender_login_maps</span><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;">
allow master user send messages with any mail from, like that:</span></div>
<div class="elementToProof"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;">smtpd_sender_login_maps = regexp:/etc/postfix/login_map.regexp</span></div>
<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;">---</span><br>
</div>
<div class="elementToProof"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;">login_map.regexp:</span></div>
<div class="elementToProof"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;">/^master@example.com$/ .*</span><br>
</div>
<div><br>
</div>
<div class="elementToProof"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;">OR</span></div>
<div class="elementToProof"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;"><br>
</span></div>
<div class="elementToProof"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;">2. in postfix master.cf declare dedicatet submission port allowed only
for dovecot, without </span><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;">reject_sender_login_mismatch, like that:</span></div>
<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;">2525 inet n - n - - smtpd </span><br>
</div>
<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;"> -o smtpd_helo_restrictions=permit_sasl_authenticated </span><br>
</div>
<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;"> -o smtpd_relay_restrictions=permit_sasl_authenticated,reject </span><br>
</div>
<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;"> -o smtpd_sender_restrictions=permit_sasl_authenticated</span><br>
</div>
<div class="elementToProof" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div class="elementToProof ContentPasted4" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
I think it's better than<br>
</div>
<div class="elementToProof"><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;" class="ContentPasted3">mynetworks = 10.0.1.0/24 #whole subnet, container
ip assigned dynamically :(<br>
</span></div>
<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;">with</span><br>
</div>
<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;">smtpd_sender_restrictions =
</span><br>
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;"> permit_mynetworks</span><br>
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;">smtpd_relay_restrictions =
</span><br>
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;"> permit_mynetworks</span><br>
<br>
</div>
<div class="elementToProof ContentPasted6" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
What about SPF in the described scenario, <font size="2"><span style="font-size:11pt" class="ContentPasted5">you are right</span></font>, SPF will be broken. Well.. its implementation feature<br>
</div>
<div><br>
</div>
<div><br>
</div>
<br>
<div id="appendonsend"></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>От:</b> dovecot <dovecot-bounces@dovecot.org> от имени dovecot@ptld.com <dovecot@ptld.com><br>
<b>Отправлено:</b> 17 января 2023 г. 23:18<br>
<b>Кому:</b> dovecot@dovecot.org <dovecot@dovecot.org><br>
<b>Тема:</b> Re: submission_host auth</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt">
<div class="PlainText elementToProof">> Let's say we have dovecot + sieve plugin container.<br>
> Dovecot configured to use remote SMTP submission host to send messages:<br>
> submission_host = postfix.example.com:587<br>
<br>
<br>
I reviewed my config to see how i did it. I think you are right and SASL isn't used here. I have dovecot and postfix on the same machine and in dovecot i set<br>
submission_host = localhost:25<br>
<br>
Then in my sieve filters i set<br>
sieve_redirect_envelope_from = sender<br>
<br>
I use SPF, DKIM, and DMARC<br>
<br>
To test this i have (fictitious) staff@work.com with a forward filter to personal@home.com<br>
I sent an email from customer@random.com to staff@work.com<br>
@work.com server then sends a forwarded email to personal@home.com with To:staff@work.com and From:customer@random.com<br>
<br>
Checking the @home.com logs i can see that SPF failed because @work.com server sent an email from @random.com, however it had valid DKIM signatures from both @work.com and @random.com so DMARC passed and the email was accepted.<br>
<br>
I guess if the @random.com mail server only implemented SPF and not included a DKIM signature and DMARC policy then the @home.com server would have rejected the forwarded email.<br>
<br>
I know this might not be the best solution you are looking for, but it is the best i could figure out to allow sieve forwarding. There is no way for a forwarded email to SASL authenticate because no one is logged in or involved in the process of LMTP receiving
mail for delivery from "the world". How is the MTA supposed to know the SASL password for staff@work.com?<br>
</div>
</span></font></div>
</body>
</html>