Re: Disable authentication for submission service

2021-07-31 Thread Benny Pedersen 

On 2021-07-29 10:12, Vladislav Kurz wrote:

I thought that mandatory authentication is the whole point of having 
mail

submission on other port than 25. But looking at the RFC:
https://datatracker.ietf.org/doc/html/rfc6409#section-4.3
It says that authorization by other means (being within a protected
subnetwork) is possible.


from the time of pop-before-smtp rfc1918 have always worked for all, 
when a single ip could open up smtp auth for multiple rfc1918 ips in the 
time frame could relay all the mails without any needs for provide any 
password for it


hopefully none like to see this back

not even on ipv6 btw

Anyway, as dovecot ultimately passes the mail to MTA, it is much easier 
to

make the unauthenticated IP relay list in MTA, and submit on port 25.


it could still be another port then 25 there, it will be a mess to mix 
outbound and inbound on same port



Or is there something special you want doevecot to do with those mails?


hopefull no, i think dovecot have submission for director hosts to still 
use one single mta server for outbound, not to change hos end users uses 
it

Re: Disable authentication for submission service

2021-07-31 Thread Benny Pedersen 

On 2021-07-28 19:08, Dan Conway wrote:

Yes Dovecot will proxy the connection to the real MTA. My question is
why authentication is _always_ required on Dovecot when submission is
used, as MTAs usually have an option to allow non-authenticated
relaying.


where is this dokumented ?, what mta support that teori ?

dovecot still need auth for sending mails even its real mta sending to 
another mta, diffrent is that its mta that had that job of submissions, 
but it have never being a free ride in the park as it would make it a 
open relay


dont do this ever

Re: Disable authentication for submission service

2021-07-29 Thread Vladislav Kurz 
Dne středa 28. července 2021 19:08:17 CEST, Dan Conway napsal(a):
> Yes Dovecot will proxy the connection to the real MTA. My question is
> why authentication is /always/ required on Dovecot when submission is
> used, as MTAs usually have an option to allow non-authenticated relaying.

I thought that mandatory authentication is the whole point of having mail 
submission on other port than 25. But looking at the RFC:
https://datatracker.ietf.org/doc/html/rfc6409#section-4.3
It says that authorization by other means (being within a protected 
subnetwork) is possible.

Anyway, as dovecot ultimately passes the mail to MTA, it is much easier to 
make the unauthenticated IP relay list in MTA, and submit on port 25.

Or is there something special you want doevecot to do with those mails?

-- 
Best Regards
Vladislav Kurz

Re: Disable authentication for submission service

2021-07-28 Thread justina colmena ~biz 
Thank you for the pointers. People say RTFM, as if that's rude, but it's good 
to know, especially if there is documentation of ongoing development or a "road 
map" for future work.

On July 28, 2021 10:51:50 AM AKDT, Antonio Leding  wrote:
>Making no assertions\judgements as to the goal or intended path to get 
>there…just helping with the original question…
>
>Based on the submission server link below, it appears you will need to 
>use the same auth mechanisms for submission as you do for imap\pop.  So

Good enough reason to integrate MSA (Mail Submission Agent) capabilities into 
the MUA (Mail User Agent).

Suggestion box: This should be able (in the future) to handle "tricks" like 
archiving sent messages alongside received messages or simply copying sent 
messages into an IMAP sent folder on the server. 

>https://doc.dovecot.org/admin_manual/submission_server/
>https://doc.dovecot.org/configuration_manual/authentication/
>

This is all quite new then and under active development.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Disable authentication for submission service

2021-07-28 Thread Antonio Leding 
Making no assertions\judgements as to the goal or intended path to get 
there…just helping with the original question…


Based on the submission server link below, it appears you will need to 
use the same auth mechanisms for submission as you do for imap\pop.  So 
essentially, the same type of config for allowing no auth imap\pop 
connections should be how you cfg no auth submission connections.


In addition to the following links, I would also take a look at 
Dovecot’s default auth config file for more details on how to allow 
access without auth…


https://doc.dovecot.org/admin_manual/submission_server/
https://doc.dovecot.org/configuration_manual/authentication/

- - -

On 28 Jul 2021, at 7:10, Dan Conway wrote:


Hello,

Is it possible to disable the requirement for authentication on the 
submission service? I'm trying to require authentication for all, 
except for a handful of IP addresses.


Thank you.


ehlo test.com
250-aaa
250-AUTH PLAIN LOGIN
250-BURL imap
250-CHUNKING
250-DSN
250-ENHANCEDSTATUSCODES
250-SIZE
250 PIPELINING
MAIL FROM:
530 5.7.0 Authentication required.

Re: Disable authentication for submission service

2021-07-28 Thread Antonio Leding 
Definitely possible - just not sure of the desired use case for this.  
But given the devs did it, there just be some demand…


https://doc.dovecot.org/admin_manual/submission_server/

- - -


On 28 Jul 2021, at 11:18, John Stoffel wrote:


"Dan" == Dan Conway  writes:


Are you sure?  I know that postfix can use the same backend database
for authentication as dovecot, and dovecot can be the master, but 
dovecot

does NOT listen on port 25 or 587 at all, those are all just used by
Postfix.


Dan> Yes Dovecot will proxy the connection to the real MTA. My
Dan> question is why authentication is always required on Dovecot when
Dan> submission is used, as MTAs usually have an option to allow
Dan> non-authenticated relaying.

Dan> On 7/28/21 10:19 AM, justina colmena ~biz wrote:

Dan> I am quite curious about the circumstances of this question. 
I was not aware that Dovecot
Dan> actually offered mail submission service. If Dovecot does 
offer such a service, then it will
Dan> have to relay the submitted mail to the real MTA, which is 
very likely not Dovecot. At the

Dan> moment I have Postfix set up as MTA for that purpose —

Dan> Relaying on port 25 is usually quick and easy to whitelist 
for certain permitted hosts, but
Dan> otherwise port 587, optionally with STARTTLS, and/or port 465 
with SSL/TLS is generally set up

Dan> for user authenticated mail submissions.

Dan> See also:
Dan> 
https://www.mailgun.com/blog/which-smtp-port-understanding-ports-25-465-587/


Dan> On July 28, 2021 6:10:28 AM AKDT, Dan Conway 
 wrote:


Dan> Hello,

Dan> Is it possible to disable the requirement for 
authentication on the
Dan> submission service? I'm trying to require authentication 
for all, except

Dan> for a handful of IP addresses.

Dan> Thank you.

Dan> ehlo test.com
Dan> 250-aaa
Dan> 250-AUTH PLAIN LOGIN
Dan> 250-BURL imap
Dan> 250-CHUNKING
Dan> 250-DSN
Dan> 250-ENHANCEDSTATUSCODES
Dan> 250-SIZE
Dan> 250 PIPELINING
Dan> MAIL FROM:
Dan> 530 5.7.0 Authentication required.

Dan> --
Dan> Sent from my Android device with K-9 Mail. Please excuse my 
brevity.

Re: Disable authentication for submission service

2021-07-28 Thread dovecot 

Are you sure?  I know that postfix can use the same backend database
for authentication as dovecot, and dovecot can be the master, but 
dovecot

does NOT listen on port 25 or 587 at all, those are all just used by
Postfix.


Not true anymore. Dovecot added a submission service in a recent 
version.
Dovecot can listen on 587, take the email, and pass it on to postfix to 
then go out to the world.


https://doc.dovecot.org/admin_manual/submission_server/

Re: Disable authentication for submission service

2021-07-28 Thread John Stoffel 
> "Dan" == Dan Conway  writes:

Are you sure?  I know that postfix can use the same backend database
for authentication as dovecot, and dovecot can be the master, but dovecot
does NOT listen on port 25 or 587 at all, those are all just used by
Postfix.


Dan> Yes Dovecot will proxy the connection to the real MTA. My
Dan> question is why authentication is always required on Dovecot when
Dan> submission is used, as MTAs usually have an option to allow
Dan> non-authenticated relaying.

Dan> On 7/28/21 10:19 AM, justina colmena ~biz wrote:

Dan> I am quite curious about the circumstances of this question. I was not 
aware that Dovecot
Dan> actually offered mail submission service. If Dovecot does offer such a 
service, then it will
Dan> have to relay the submitted mail to the real MTA, which is very likely 
not Dovecot. At the
Dan> moment I have Postfix set up as MTA for that purpose —
   
Dan> Relaying on port 25 is usually quick and easy to whitelist for certain 
permitted hosts, but
Dan> otherwise port 587, optionally with STARTTLS, and/or port 465 with 
SSL/TLS is generally set up
Dan> for user authenticated mail submissions.
   
Dan> See also:
Dan> 
https://www.mailgun.com/blog/which-smtp-port-understanding-ports-25-465-587/

Dan> On July 28, 2021 6:10:28 AM AKDT, Dan Conway  
wrote:
   
Dan> Hello,

Dan> Is it possible to disable the requirement for authentication on 
the 
Dan> submission service? I'm trying to require authentication for all, 
except 
Dan> for a handful of IP addresses.

Dan> Thank you.

Dan> ehlo test.com
Dan> 250-aaa
Dan> 250-AUTH PLAIN LOGIN
Dan> 250-BURL imap
Dan> 250-CHUNKING
Dan> 250-DSN
Dan> 250-ENHANCEDSTATUSCODES
Dan> 250-SIZE
Dan> 250 PIPELINING
Dan> MAIL FROM:
Dan> 530 5.7.0 Authentication required.

Dan> --
Dan> Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Disable authentication for submission service

2021-07-28 Thread Alexander Dalloz 

Am 28.07.2021 um 19:08 schrieb Dan Conway:
Yes Dovecot will proxy the connection to the real MTA. My question is 
why authentication is /always/ required on Dovecot when submission is 
used, as MTAs usually have an option to allow non-authenticated relaying.


And relaying without authentication is a bad thing you should avoid.

Alexander

Re: Disable authentication for submission service

2021-07-28 Thread Dan Conway 
Yes Dovecot will proxy the connection to the real MTA. My question is 
why authentication is /always/ required on Dovecot when submission is 
used, as MTAs usually have an option to allow non-authenticated relaying.


On 7/28/21 10:19 AM, justina colmena ~biz wrote:
I am quite curious about the circumstances of this question. I was not 
aware that Dovecot actually offered mail submission service. If 
Dovecot does offer such a service, then it will have to relay the 
submitted mail to the real MTA, which is very likely not Dovecot. At 
the moment I have Postfix set up as MTA for that purpose —


Relaying on port 25 is usually quick and easy to whitelist for certain 
permitted hosts, but otherwise port 587, optionally with STARTTLS, 
and/or port 465 with SSL/TLS is generally set up for user 
authenticated mail submissions.


See also:
https://www.mailgun.com/blog/which-smtp-port-understanding-ports-25-465-587/ 





On July 28, 2021 6:10:28 AM AKDT, Dan Conway  
wrote:


Hello,

Is it possible to disable the requirement for authentication on the
submission service? I'm trying to require authentication for all, except
for a handful of IP addresses.

Thank you.


ehlo test.com
250-aaa
250-AUTH PLAIN LOGIN
250-BURL imap
250-CHUNKING
250-DSN
250-ENHANCEDSTATUSCODES
250-SIZE
250 PIPELINING
MAIL FROM:
530 5.7.0 Authentication required.


--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Disable authentication for submission service

2021-07-28 Thread justina colmena ~biz 
I am quite curious about the circumstances of this question. I was not aware 
that Dovecot actually offered mail submission service. If Dovecot does offer 
such a service, then it will have to relay the submitted mail to the real MTA, 
which is very likely not Dovecot. At the moment I have Postfix set up as MTA 
for that purpose —

Relaying on port 25 is usually quick and easy to whitelist for certain 
permitted hosts, but otherwise port 587, optionally with STARTTLS, and/or port 
465 with SSL/TLS is generally set up for user authenticated mail submissions.

See also:
https://www.mailgun.com/blog/which-smtp-port-understanding-ports-25-465-587/



On July 28, 2021 6:10:28 AM AKDT, Dan Conway  wrote:
>Hello,
>
>Is it possible to disable the requirement for authentication on the 
>submission service? I'm trying to require authentication for all,
>except 
>for a handful of IP addresses.
>
>Thank you.
>
>
>ehlo test.com
>250-aaa
>250-AUTH PLAIN LOGIN
>250-BURL imap
>250-CHUNKING
>250-DSN
>250-ENHANCEDSTATUSCODES
>250-SIZE
>250 PIPELINING
>MAIL FROM:
>530 5.7.0 Authentication required.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.