Hi Jacky, if postfix did not log a specific error to your maillog you could change smtpd to smtpd -v in master.cf to get more debug output or use debug_peer_list to see what smtp commands are sent:
http://www.postfix.org/DEBUG_README.html Typically smtp auth looks like this: S: 220 smtp.example.com ESMTP server ready C: EHLO jgm.example.com S: 250-smtp.example.com S: 250 AUTH CRAM-MD5 DIGEST-MD5 C: AUTH FOOBAR S: 504 Unrecognized authentication type. or C: AUTH CRAM-MD5 S: 334 PENCeUxFREJoU0NnbmhNWitOMjNGNndAZWx3b29kLmlubm9zb2Z0LmNvbT4= C: ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg2ZQ== S: 235 Authentication successful. C = client, S = server Depending on your setup the password (maybe base64 encoded) or hash must also be sent for verification. Or you could try to authenticate with a master user for all connections by setting submission_relay_master_user = submission_relay_password = in dovecot, see https://wiki.dovecot.org/Submission Best regards Gerald > Am 09.01.2019 um 11:08 schrieb Jacky <ja...@jesstech.com>: > > Hi Gerald, > > in my postfix/main.cf > > smtpd_sasl_authenticated_header = yes > smtpd_sasl_security_options = noanonymous > smtpd_sasl_local_domain = $myhostname > smtpd_sasl_type = dovecot > smtpd_sasl_path = /var/run/dovecot/auth-client > broken_sasl_auth_clients = yes > > I am already using dovecot for SASL > > The dovecot submission service authenticates users and already added the > AUTH= parameter in the MAIL FROM > > MAIL FROM:<ja...@xxx.com> AUTH=ja...@xxx.com SIZE=1430 > > But, it seems that postfix does not accept the AUTH= parameter and reject the > sender as no logged in. > > > Best regards, > > Jacky > > > > On 9/1/2019 5:49 PM, Gerald Galster wrote: >> Hi Jacky, >> >> in postfix/main.cf you typically set something like >> >> smtpd_sasl_auth_enable=yes >> smtpd_sasl_type=cyrus >> smtpd_sasl_exceptions_networks=$mynetworks >> smtpd_sasl_security_options=noanonymous >> smtpd_sasl_authenticated_header=yes >> broken_sasl_auth_clients=yes >> smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination >> >> smtpd_recipient_restrictions might already exist in main.cf and in that case >> has to be extended >> >> postfix can verify login/passwords via sasl but it does not store these >> credentials, so you need to install saslauthd and add user/pass there or use >> a dovecot instance that already authenticates users for pop/imap. >> >> http://www.postfix.org/SASL_README.html >> https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL >> >> Best regards >> Gerald >> >>> Am 09.01.2019 um 10:15 schrieb Jacky <ja...@jesstech.com>: >>> >>> Hi, >>> >>> Anyone know how to enable this SMTP AUTH feature with Postfix? >>> >>> Regards, >>> >>> Jacky >>> >>> >>> On 7/4/2018 3:40 AM, Paul Hecker wrote: >>>> Hi, >>>> >>>>> On 6. Apr 2018, at 18:58, Odhiambo Washington <odhia...@gmail.com> wrote: >>>>> >>>>> Hi Paul, >>>>> >>>>> Care to share your config (even OFFLIST) that has successfully integrated >>>>> Dovecot Submission service with Exim?? >>>> here the steps I have done to integrate Dovecot submission in Exim: >>>> >>>> - Create and set the acl_smtp_mailauth ACL: >>>> >>>> acl_smtp_mailauth = acl_check_mailauth >>>> >>>> acl_check_mailauth: >>>> accept >>>> hosts = <; 127.0.0.1 ; ::1 >>>> condition = ${if eq{$interface_port}{10025}} >>>> log_message = Will accept MAIL AUTH parameter for >>>> $authenticated_sender >>>> deny >>>> >>>> >>>> - add a deny fo all connections to 10025 without MAIL AUTH parameter in >>>> acl_smtp_mail ACL: >>>> >>>> deny >>>> condition = ${if eq{$interface_port}{10025}} >>>> condition = ${if eq{$authenticated_sender}{}} >>>> message = All connections on port $interface_port need MAIL >>>> AUTH sender >>>> >>>> - in Dovecot, add the following submission parameters >>>> >>>> submission_relay_port = 10025 >>>> submission_relay_ssl = starttls >>>> submission_relay_ssl_verify = no >>>> >>>> All the remaining parts of the Dovecot config is the default for >>>> submission protocol/service, copied either from the sources (default >>>> config) or from here: >>>> >>>> https://wiki.dovecot.org/Submission >>>> >>>> Feel free is you have any further questions. >>>> >>>> Regards, >>>> Paul >>>> >>>> >>>>> I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this. >>>>> >>>>> Thanks in advance. >>>>> >>>>> >>>>> On 6 April 2018 at 19:15, Paul Hecker <p...@iwascoding.com> wrote: >>>>> Hi, >>>>> >>>>> Thanks you very much. This did the trick! >>>>> >>>>>> On 6. Apr 2018, at 15:56, Stephan Bosch <step...@rename-it.nl> wrote: >>>>>> >>>>>> >>>>>> >>>>>> Op 6-4-2018 om 13:52 schreef Paul Hecker: >>>>>>> Hi, >>>>>>> >>>>>>> Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) >>>>>>> authentication to the SMTP server using submission. Reason why I need >>>>>>> it is sender spoofing (do not want my employees to send messages in >>>>>>> behalf of me). >>>>>>> >>>>>>> In exim I can disable sender spoofing with the authenticated user. When >>>>>>> sending through dovecot, exim either does not accept the email (need >>>>>>> auth) or relay every sender address (because relaying from localhost). >>>>>>> >>>>>>> Am I missing a setting or do I need any additional field in the (MySQL) >>>>>>> user_query/password_query to forward the password? >>>>>>> >>>>>>> You can find my config here: >>>>>>> >>>>>>> https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8 >>>>>> That would be possible using the following SMTP AUTH feature: >>>>>> >>>>>> https://tools.ietf.org/html/rfc4954#section-5 >>>>>> >>>>>> Which is apparently supported by Exim: >>>>>> https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html#SECTauthparamail >>>>>> This requires explicit configuration, so it will not work out of the box. >>>>> Here is what I did: >>>>> >>>>> I had to add the acl_smtp_mailauth to only allow this on a certain port. >>>>> Then I had to duplicate my code for sender spoofing for authenticated >>>>> users and change the $authenticated_id -> $authenticated_sender. >>>>> >>>>> Besides that, I must use TLS (in my case STARTTLS) so that Dovecot >>>>> actually sends the MAIL AUTH parameter. >>>>> >>>>>> The Dovecot Submission service should support this too. It sends an AUTH >>>>>> parameter with the MAIL command (currently only then the username is a >>>>>> valid SMTP address). However, I must say, I haven't tested this recently. >>>>> I can confirm that it works (only with TLS with my current configuration, >>>>> see above). >>>>> >>>>>> I can try this in a few days. Feel free to experiment with this yourself. >>>>>> >>>>>> Regards, >>>>>> >>>>>> Stephan. >>>>> Thanks again, >>>>> Paul >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Best regards, >>>>> Odhiambo WASHINGTON, >>>>> Nairobi,KE >>>>> +254 7 3200 0004/+254 7 2274 3223 >>>>> "Oh, the cruft."