subject:"Dovecot Submission Proxy Auth"

Re: Dovecot Submission Proxy Auth

2019-01-12 Thread Stephan Bosch





Op 11/01/2019 om 02:52 schreef Jacky:


Hi,

Just found out that Postfix does not implement/support the AUTH=sender 
parameter.


So, back to Dovecot, can we use variables in the

submission_relay_user =
submission_relay_password =



No, that is not supported. :/

then Dovecot will forward the username and password information of the 
current user to the Postfix submission service for authentication?




Would Postfix do something with the XCLIENT LOGIN field in that regard?

(Note that 2.3.4 messes up XCLIENT in several ways, so --- if Postfix 
can do this --- you'll have to wait for the next release).


Regards,

Stephan.


Best regards,

Jacky



On 10/1/2019 10:46 AM, Jacky wrote:


Hi Gerald and Odhiambo Washington,

Thank you for your suggestions and will try them out.

Best regards,

Jacky

On 9/1/2019 6:38 PM, Odhiambo Washington wrote:



On Wed, 9 Jan 2019 at 13:09, Jacky > wrote:


Hi Gerald,

in my postfix/main.cf 

smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/run/dovecot/auth-client
broken_sasl_auth_clients = yes

I am already using dovecot for SASL

The dovecot submission service authenticates users and already
added the
AUTH= parameter in the MAIL FROM

MAIL FROM:mailto:ja...@xxx.com>>
AUTH=ja...@xxx.com  SIZE=1430

But, it seems that postfix does not accept the AUTH= parameter and
reject the sender as no logged in.


Best regards,

Jacky


Hi Jacky,

Your question belongs to postfix mailinng list.

Anyway, the last time I was playing with postfix (I am an Exim user 
normally), I had to check that:

smtpd_sasl_path = /var/run/dovecot/auth-client

..the socket is readable by the postfix user:

So, check 10-master.conf for the socket. Something like:

# Postfix smtp-auth
  unix_listener  var/run/dovecot/auth-client  {
    mode = 0666
  }

Restart dovecot and see...

You can read the https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL



--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)

Re: Dovecot Submission Proxy Auth

2019-01-10 Thread Jacky


Hi,

Just found out that Postfix does not implement/support the AUTH=sender 
parameter.


So, back to Dovecot, can we use variables in the

submission_relay_user =
submission_relay_password =

then Dovecot will forward the username and password information of the 
current user to the Postfix submission service for authentication?


Best regards,

Jacky



On 10/1/2019 10:46 AM, Jacky wrote:


Hi Gerald and Odhiambo Washington,

Thank you for your suggestions and will try them out.

Best regards,

Jacky

On 9/1/2019 6:38 PM, Odhiambo Washington wrote:



On Wed, 9 Jan 2019 at 13:09, Jacky > wrote:


Hi Gerald,

in my postfix/main.cf 

smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/run/dovecot/auth-client
broken_sasl_auth_clients = yes

I am already using dovecot for SASL

The dovecot submission service authenticates users and already
added the
AUTH= parameter in the MAIL FROM

MAIL FROM:mailto:ja...@xxx.com>>
AUTH=ja...@xxx.com  SIZE=1430

But, it seems that postfix does not accept the AUTH= parameter and
reject the sender as no logged in.


Best regards,

Jacky


Hi Jacky,

Your question belongs to postfix mailinng list.

Anyway, the last time I was playing with postfix (I am an Exim user 
normally), I had to check that:

smtpd_sasl_path = /var/run/dovecot/auth-client

..the socket is readable by the postfix user:

So, check 10-master.conf for the socket. Something like:

# Postfix smtp-auth
  unix_listener  var/run/dovecot/auth-client  {
    mode = 0666
  }

Restart dovecot and see...

You can read the https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL



--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)

Re: Dovecot Submission Proxy Auth

2019-01-09 Thread Jacky


Hi Gerald and Odhiambo Washington,

Thank you for your suggestions and will try them out.

Best regards,

Jacky

On 9/1/2019 6:38 PM, Odhiambo Washington wrote:



On Wed, 9 Jan 2019 at 13:09, Jacky > wrote:


Hi Gerald,

in my postfix/main.cf 

smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/run/dovecot/auth-client
broken_sasl_auth_clients = yes

I am already using dovecot for SASL

The dovecot submission service authenticates users and already
added the
AUTH= parameter in the MAIL FROM

MAIL FROM:mailto:ja...@xxx.com>>
AUTH=ja...@xxx.com  SIZE=1430

But, it seems that postfix does not accept the AUTH= parameter and
reject the sender as no logged in.


Best regards,

Jacky


Hi Jacky,

Your question belongs to postfix mailinng list.

Anyway, the last time I was playing with postfix (I am an Exim user 
normally), I had to check that:

smtpd_sasl_path = /var/run/dovecot/auth-client

..the socket is readable by the postfix user:

So, check 10-master.conf for the socket. Something like:

# Postfix smtp-auth
  unix_listener var/run/dovecot/auth-client  {
    mode = 0666
  }

Restart dovecot and see...

You can read the https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL



--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)

Re: Dovecot Submission Proxy Auth

2019-01-09 Thread Odhiambo Washington

On Wed, 9 Jan 2019 at 13:09, Jacky  wrote:

> Hi Gerald,
>
> in my postfix/main.cf
>
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_type = dovecot
> smtpd_sasl_path = /var/run/dovecot/auth-client
> broken_sasl_auth_clients = yes
>
> I am already using dovecot for SASL
>
> The dovecot submission service authenticates users and already added the
> AUTH= parameter in the MAIL FROM
>
> MAIL FROM: AUTH=ja...@xxx.com SIZE=1430
>
> But, it seems that postfix does not accept the AUTH= parameter and
> reject the sender as no logged in.
>
>
> Best regards,
>
> Jacky
>
>
Hi Jacky,

Your question belongs to postfix mailinng list.

Anyway, the last time I was playing with postfix (I am an Exim user
normally), I had to check that:
smtpd_sasl_path = /var/run/dovecot/auth-client

..the socket is readable by the postfix user:

So, check 10-master.conf for the socket. Something like:

# Postfix smtp-auth
  unix_listener  var/run/dovecot/auth-client  {
mode = 0666
  }

Restart dovecot and see...

You can read the https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)

Re: Dovecot Submission Proxy Auth

2019-01-09 Thread Gerald Galster

Hi Jacky,

if postfix did not log a specific error to your maillog you could change smtpd 
to smtpd -v in master.cf to get more debug output or use debug_peer_list to see 
what smtp commands are sent:

http://www.postfix.org/DEBUG_README.html

Typically smtp auth looks like this:

S: 220 smtp.example.com ESMTP server ready
C: EHLO jgm.example.com
S: 250-smtp.example.com
S: 250 AUTH CRAM-MD5 DIGEST-MD5
C: AUTH FOOBAR
S: 504 Unrecognized authentication type.

or

C: AUTH CRAM-MD5
S: 334
PENCeUxFREJoU0NnbmhNWitOMjNGNndAZWx3b29kLmlubm9zb2Z0LmNvbT4=
C: ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg2ZQ==
S: 235 Authentication successful.

C = client, S = server

Depending on your setup the password (maybe base64 encoded) or hash must also 
be sent for verification.

Or you could try to authenticate with a master user for all connections by 
setting

submission_relay_master_user =
submission_relay_password =

in dovecot, see https://wiki.dovecot.org/Submission

Best regards
Gerald



> Am 09.01.2019 um 11:08 schrieb Jacky :
> 
> Hi Gerald,
> 
> in my postfix/main.cf
> 
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_type = dovecot
> smtpd_sasl_path = /var/run/dovecot/auth-client
> broken_sasl_auth_clients = yes
> 
> I am already using dovecot for SASL
> 
> The dovecot submission service authenticates users and already added the 
> AUTH= parameter in the MAIL FROM
> 
> MAIL FROM: AUTH=ja...@xxx.com SIZE=1430
> 
> But, it seems that postfix does not accept the AUTH= parameter and reject the 
> sender as no logged in.
> 
> 
> Best regards,
> 
> Jacky
> 
> 
> 
> On 9/1/2019 5:49 PM, Gerald Galster wrote:
>> Hi Jacky,
>> 
>> in postfix/main.cf you typically set something like
>> 
>> smtpd_sasl_auth_enable=yes
>> smtpd_sasl_type=cyrus
>> smtpd_sasl_exceptions_networks=$mynetworks
>> smtpd_sasl_security_options=noanonymous
>> smtpd_sasl_authenticated_header=yes
>> broken_sasl_auth_clients=yes
>> smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
>> 
>> smtpd_recipient_restrictions might already exist in main.cf and in that case 
>> has to be extended
>> 
>> postfix can verify login/passwords via sasl but it does not store these 
>> credentials, so you need to install saslauthd and add user/pass there or use 
>> a dovecot instance that already authenticates users for pop/imap.
>> 
>> http://www.postfix.org/SASL_README.html
>> https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL
>> 
>> Best regards
>> Gerald
>> 
>>> Am 09.01.2019 um 10:15 schrieb Jacky :
>>> 
>>> Hi,
>>> 
>>> Anyone know how to enable this SMTP AUTH feature with Postfix?
>>> 
>>> Regards,
>>> 
>>> Jacky
>>> 
>>> 
>>> On 7/4/2018 3:40 AM, Paul Hecker wrote:
 Hi,
 
> On 6. Apr 2018, at 18:58, Odhiambo Washington  wrote:
> 
> Hi Paul,
> 
> Care to share your config (even OFFLIST) that has successfully integrated 
> Dovecot Submission service with Exim??
 here the steps I have done to integrate Dovecot submission in Exim:
 
 - Create and set the acl_smtp_mailauth ACL:
 
 acl_smtp_mailauth = acl_check_mailauth
 
 acl_check_mailauth:
   accept
 hosts  = <; 127.0.0.1 ; ::1
 condition  = ${if eq{$interface_port}{10025}}
 log_message= Will accept MAIL AUTH parameter for 
 $authenticated_sender
deny
 
 
 - add a deny fo all connections to 10025 without MAIL AUTH parameter in 
 acl_smtp_mail ACL:
 
   deny
 condition  = ${if eq{$interface_port}{10025}}
 condition  = ${if eq{$authenticated_sender}{}}
 message= All connections on port $interface_port need MAIL 
 AUTH sender
 
 - in Dovecot, add the following submission parameters
 
 submission_relay_port = 10025
 submission_relay_ssl = starttls
 submission_relay_ssl_verify = no
 
 All the remaining parts of the Dovecot config is the default for 
 submission protocol/service, copied either from the sources (default 
 config) or from here:
 
 https://wiki.dovecot.org/Submission
 
 Feel free is you have any further questions.
 
 Regards,
 Paul
 
 
> I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this.
> 
> Thanks in advance.
> 
> 
> On 6 April 2018 at 19:15, Paul Hecker  wrote:
> Hi,
> 
> Thanks you very much. This did the trick!
> 
>> On 6. Apr 2018, at 15:56, Stephan Bosch  wrote:
>> 
>> 
>> 
>> Op 6-4-2018 om 13:52 schreef Paul Hecker:
>>> Hi,
>>> 
>>> Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) 
>>> authentication to the SMTP server using submission. Reason why I need 
>>> it is sender spoofing (do not want my employees to send messages in 
>>> behalf of me).
>>> 
>>> In exim I can disable sender

Re: Dovecot Submission Proxy Auth

2019-01-09 Thread Jacky


Hi Gerald,

in my postfix/main.cf

smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/run/dovecot/auth-client
broken_sasl_auth_clients = yes

I am already using dovecot for SASL

The dovecot submission service authenticates users and already added the 
AUTH= parameter in the MAIL FROM


MAIL FROM: AUTH=ja...@xxx.com SIZE=1430

But, it seems that postfix does not accept the AUTH= parameter and 
reject the sender as no logged in.



Best regards,

Jacky



On 9/1/2019 5:49 PM, Gerald Galster wrote:

Hi Jacky,

in postfix/main.cf you typically set something like

smtpd_sasl_auth_enable=yes
smtpd_sasl_type=cyrus
smtpd_sasl_exceptions_networks=$mynetworks
smtpd_sasl_security_options=noanonymous
smtpd_sasl_authenticated_header=yes
broken_sasl_auth_clients=yes
smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

smtpd_recipient_restrictions might already exist in main.cf and in that case 
has to be extended

postfix can verify login/passwords via sasl but it does not store these 
credentials, so you need to install saslauthd and add user/pass there or use a 
dovecot instance that already authenticates users for pop/imap.

http://www.postfix.org/SASL_README.html
https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL

Best regards
Gerald


Am 09.01.2019 um 10:15 schrieb Jacky :

Hi,

Anyone know how to enable this SMTP AUTH feature with Postfix?

Regards,

Jacky


On 7/4/2018 3:40 AM, Paul Hecker wrote:

Hi,


On 6. Apr 2018, at 18:58, Odhiambo Washington  wrote:

Hi Paul,

Care to share your config (even OFFLIST) that has successfully integrated 
Dovecot Submission service with Exim??

here the steps I have done to integrate Dovecot submission in Exim:

- Create and set the acl_smtp_mailauth ACL:

acl_smtp_mailauth = acl_check_mailauth

acl_check_mailauth:
   accept
 hosts  = <; 127.0.0.1 ; ::1
 condition  = ${if eq{$interface_port}{10025}}
 log_message= Will accept MAIL AUTH parameter for $authenticated_sender
deny


- add a deny fo all connections to 10025 without MAIL AUTH parameter in 
acl_smtp_mail ACL:

   deny
 condition  = ${if eq{$interface_port}{10025}}
 condition  = ${if eq{$authenticated_sender}{}}
 message= All connections on port $interface_port need MAIL AUTH 
sender

- in Dovecot, add the following submission parameters

submission_relay_port = 10025
submission_relay_ssl = starttls
submission_relay_ssl_verify = no

All the remaining parts of the Dovecot config is the default for submission 
protocol/service, copied either from the sources (default config) or from here:

https://wiki.dovecot.org/Submission

Feel free is you have any further questions.

Regards,
Paul



I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this.

Thanks in advance.


On 6 April 2018 at 19:15, Paul Hecker  wrote:
Hi,

Thanks you very much. This did the trick!


On 6. Apr 2018, at 15:56, Stephan Bosch  wrote:



Op 6-4-2018 om 13:52 schreef Paul Hecker:

Hi,

Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) 
authentication to the SMTP server using submission. Reason why I need it is 
sender spoofing (do not want my employees to send messages in behalf of me).

In exim I can disable sender spoofing with the authenticated user. When sending 
through dovecot, exim either does not accept the email (need auth) or relay 
every sender address (because relaying from localhost).

Am I missing a setting or do I need any additional field in the (MySQL) 
user_query/password_query to forward the password?

You can find my config here:

https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8

That would be possible using the following SMTP AUTH feature:

https://tools.ietf.org/html/rfc4954#section-5

Which is apparently supported by Exim: 
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html#SECTauthparamail
This requires explicit configuration, so it will not work out of the box.

Here is what I did:

I had to add the acl_smtp_mailauth to only allow this on a certain port. Then I 
had to duplicate my code for sender spoofing for authenticated users and change 
the $authenticated_id -> $authenticated_sender.

Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually 
sends the MAIL AUTH parameter.


The Dovecot Submission service should support this too. It sends an AUTH 
parameter with the MAIL command (currently only then the username is a valid 
SMTP address). However, I must say, I haven't tested this recently.

I can confirm that it works (only with TLS with my current configuration, see 
above).


I can try this in a few days. Feel free to experiment with this yourself.

Regards,

Stephan.

Thanks again,
Paul




--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."

Re: Dovecot Submission Proxy Auth

2019-01-09 Thread Gerald Galster

Hi Jacky,

in postfix/main.cf you typically set something like

smtpd_sasl_auth_enable=yes
smtpd_sasl_type=cyrus
smtpd_sasl_exceptions_networks=$mynetworks
smtpd_sasl_security_options=noanonymous
smtpd_sasl_authenticated_header=yes
broken_sasl_auth_clients=yes
smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

smtpd_recipient_restrictions might already exist in main.cf and in that case 
has to be extended

postfix can verify login/passwords via sasl but it does not store these 
credentials, so you need to install saslauthd and add user/pass there or use a 
dovecot instance that already authenticates users for pop/imap.

http://www.postfix.org/SASL_README.html
https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL

Best regards
Gerald

> Am 09.01.2019 um 10:15 schrieb Jacky :
> 
> Hi,
> 
> Anyone know how to enable this SMTP AUTH feature with Postfix?
> 
> Regards,
> 
> Jacky
> 
> 
> On 7/4/2018 3:40 AM, Paul Hecker wrote:
>> Hi,
>> 
>>> On 6. Apr 2018, at 18:58, Odhiambo Washington  wrote:
>>> 
>>> Hi Paul,
>>> 
>>> Care to share your config (even OFFLIST) that has successfully integrated 
>>> Dovecot Submission service with Exim??
>> here the steps I have done to integrate Dovecot submission in Exim:
>> 
>> - Create and set the acl_smtp_mailauth ACL:
>> 
>> acl_smtp_mailauth = acl_check_mailauth
>> 
>> acl_check_mailauth:
>>   accept
>> hosts  = <; 127.0.0.1 ; ::1
>> condition  = ${if eq{$interface_port}{10025}}
>> log_message= Will accept MAIL AUTH parameter for 
>> $authenticated_sender
>>deny
>> 
>> 
>> - add a deny fo all connections to 10025 without MAIL AUTH parameter in 
>> acl_smtp_mail ACL:
>> 
>>   deny
>> condition  = ${if eq{$interface_port}{10025}}
>> condition  = ${if eq{$authenticated_sender}{}}
>> message= All connections on port $interface_port need MAIL AUTH 
>> sender
>> 
>> - in Dovecot, add the following submission parameters
>> 
>> submission_relay_port = 10025
>> submission_relay_ssl = starttls
>> submission_relay_ssl_verify = no
>> 
>> All the remaining parts of the Dovecot config is the default for submission 
>> protocol/service, copied either from the sources (default config) or from 
>> here:
>> 
>> https://wiki.dovecot.org/Submission
>> 
>> Feel free is you have any further questions.
>> 
>> Regards,
>> Paul
>> 
>> 
>>> I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this.
>>> 
>>> Thanks in advance.
>>> 
>>> 
>>> On 6 April 2018 at 19:15, Paul Hecker  wrote:
>>> Hi,
>>> 
>>> Thanks you very much. This did the trick!
>>> 
 On 6. Apr 2018, at 15:56, Stephan Bosch  wrote:
 
 
 
 Op 6-4-2018 om 13:52 schreef Paul Hecker:
> Hi,
> 
> Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) 
> authentication to the SMTP server using submission. Reason why I need it 
> is sender spoofing (do not want my employees to send messages in behalf 
> of me).
> 
> In exim I can disable sender spoofing with the authenticated user. When 
> sending through dovecot, exim either does not accept the email (need 
> auth) or relay every sender address (because relaying from localhost).
> 
> Am I missing a setting or do I need any additional field in the (MySQL) 
> user_query/password_query to forward the password?
> 
> You can find my config here:
> 
> https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8
 That would be possible using the following SMTP AUTH feature:
 
 https://tools.ietf.org/html/rfc4954#section-5
 
 Which is apparently supported by Exim: 
 https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html#SECTauthparamail
 This requires explicit configuration, so it will not work out of the box.
>>> Here is what I did:
>>> 
>>> I had to add the acl_smtp_mailauth to only allow this on a certain port. 
>>> Then I had to duplicate my code for sender spoofing for authenticated users 
>>> and change the $authenticated_id -> $authenticated_sender.
>>> 
>>> Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually 
>>> sends the MAIL AUTH parameter.
>>> 
 The Dovecot Submission service should support this too. It sends an AUTH 
 parameter with the MAIL command (currently only then the username is a 
 valid SMTP address). However, I must say, I haven't tested this recently.
>>> I can confirm that it works (only with TLS with my current configuration, 
>>> see above).
>>> 
 I can try this in a few days. Feel free to experiment with this yourself.
 
 Regards,
 
 Stephan.
>>> Thanks again,
>>> Paul
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> Best regards,
>>> Odhiambo WASHINGTON,
>>> Nairobi,KE
>>> +254 7 3200 0004/+254 7 2274 3223
>>> "Oh, the cruft."

Re: Dovecot Submission Proxy Auth

2019-01-09 Thread Jacky


Hi,

Anyone know how to enable this SMTP AUTH feature with Postfix?

Regards,

Jacky


On 7/4/2018 3:40 AM, Paul Hecker wrote:

Hi,


On 6. Apr 2018, at 18:58, Odhiambo Washington  wrote:

Hi Paul,

Care to share your config (even OFFLIST) that has successfully integrated 
Dovecot Submission service with Exim??

here the steps I have done to integrate Dovecot submission in Exim:

- Create and set the acl_smtp_mailauth ACL:

acl_smtp_mailauth = acl_check_mailauth

acl_check_mailauth:
   accept
 hosts  = <; 127.0.0.1 ; ::1
 condition  = ${if eq{$interface_port}{10025}}
 log_message= Will accept MAIL AUTH parameter for $authenticated_sender
 
   deny



- add a deny fo all connections to 10025 without MAIL AUTH parameter in 
acl_smtp_mail ACL:

   deny
 condition  = ${if eq{$interface_port}{10025}}
 condition  = ${if eq{$authenticated_sender}{}}
 message= All connections on port $interface_port need MAIL AUTH 
sender

- in Dovecot, add the following submission parameters

submission_relay_port = 10025
submission_relay_ssl = starttls
submission_relay_ssl_verify = no

All the remaining parts of the Dovecot config is the default for submission 
protocol/service, copied either from the sources (default config) or from here:

https://wiki.dovecot.org/Submission

Feel free is you have any further questions.

Regards,
Paul



I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this.

Thanks in advance.


On 6 April 2018 at 19:15, Paul Hecker  wrote:
Hi,

Thanks you very much. This did the trick!


On 6. Apr 2018, at 15:56, Stephan Bosch  wrote:



Op 6-4-2018 om 13:52 schreef Paul Hecker:

Hi,

Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) 
authentication to the SMTP server using submission. Reason why I need it is 
sender spoofing (do not want my employees to send messages in behalf of me).

In exim I can disable sender spoofing with the authenticated user. When sending 
through dovecot, exim either does not accept the email (need auth) or relay 
every sender address (because relaying from localhost).

Am I missing a setting or do I need any additional field in the (MySQL) 
user_query/password_query to forward the password?

You can find my config here:

https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8

That would be possible using the following SMTP AUTH feature:

https://tools.ietf.org/html/rfc4954#section-5

Which is apparently supported by Exim: 
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html#SECTauthparamail
This requires explicit configuration, so it will not work out of the box.

Here is what I did:

I had to add the acl_smtp_mailauth to only allow this on a certain port. Then I 
had to duplicate my code for sender spoofing for authenticated users and change 
the $authenticated_id -> $authenticated_sender.

Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually 
sends the MAIL AUTH parameter.


The Dovecot Submission service should support this too. It sends an AUTH 
parameter with the MAIL command (currently only then the username is a valid 
SMTP address). However, I must say, I haven't tested this recently.

I can confirm that it works (only with TLS with my current configuration, see 
above).


I can try this in a few days. Feel free to experiment with this yourself.

Regards,

Stephan.

Thanks again,
Paul




--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."

Re: Dovecot Submission Proxy Auth

2018-04-06 Thread Paul Hecker

Hi,

> On 6. Apr 2018, at 18:58, Odhiambo Washington  wrote:
> 
> Hi Paul,
> 
> Care to share your config (even OFFLIST) that has successfully integrated 
> Dovecot Submission service with Exim??

here the steps I have done to integrate Dovecot submission in Exim:

- Create and set the acl_smtp_mailauth ACL:

acl_smtp_mailauth = acl_check_mailauth

acl_check_mailauth:
  accept
hosts  = <; 127.0.0.1 ; ::1
condition  = ${if eq{$interface_port}{10025}}
log_message= Will accept MAIL AUTH parameter for $authenticated_sender

  deny


- add a deny fo all connections to 10025 without MAIL AUTH parameter in 
acl_smtp_mail ACL:

  deny
condition  = ${if eq{$interface_port}{10025}}
condition  = ${if eq{$authenticated_sender}{}}
message= All connections on port $interface_port need MAIL AUTH 
sender

- in Dovecot, add the following submission parameters

submission_relay_port = 10025
submission_relay_ssl = starttls
submission_relay_ssl_verify = no

All the remaining parts of the Dovecot config is the default for submission 
protocol/service, copied either from the sources (default config) or from here:

https://wiki.dovecot.org/Submission

Feel free is you have any further questions.

Regards,
Paul


> 
> I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this.
> 
> Thanks in advance.
> 
> 
> On 6 April 2018 at 19:15, Paul Hecker  wrote:
> Hi,
> 
> Thanks you very much. This did the trick!
> 
> > On 6. Apr 2018, at 15:56, Stephan Bosch  wrote:
> >
> >
> >
> > Op 6-4-2018 om 13:52 schreef Paul Hecker:
> >> Hi,
> >>
> >> Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) 
> >> authentication to the SMTP server using submission. Reason why I need it 
> >> is sender spoofing (do not want my employees to send messages in behalf of 
> >> me).
> >>
> >> In exim I can disable sender spoofing with the authenticated user. When 
> >> sending through dovecot, exim either does not accept the email (need auth) 
> >> or relay every sender address (because relaying from localhost).
> >>
> >> Am I missing a setting or do I need any additional field in the (MySQL) 
> >> user_query/password_query to forward the password?
> >>
> >> You can find my config here:
> >>
> >> https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8
> >
> > That would be possible using the following SMTP AUTH feature:
> >
> > https://tools.ietf.org/html/rfc4954#section-5
> >
> > Which is apparently supported by Exim: 
> > https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html#SECTauthparamail
> > This requires explicit configuration, so it will not work out of the box.
> 
> Here is what I did:
> 
> I had to add the acl_smtp_mailauth to only allow this on a certain port. Then 
> I had to duplicate my code for sender spoofing for authenticated users and 
> change the $authenticated_id -> $authenticated_sender.
> 
> Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually 
> sends the MAIL AUTH parameter.
> 
> >
> > The Dovecot Submission service should support this too. It sends an AUTH 
> > parameter with the MAIL command (currently only then the username is a 
> > valid SMTP address). However, I must say, I haven't tested this recently.
> 
> I can confirm that it works (only with TLS with my current configuration, see 
> above).
> 
> >
> > I can try this in a few days. Feel free to experiment with this yourself.
> >
> > Regards,
> >
> > Stephan.
> 
> Thanks again,
> Paul
> 
> 
> 
> 
> -- 
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft."



smime.p7s
Description: S/MIME cryptographic signature

Re: Dovecot Submission Proxy Auth

2018-04-06 Thread Odhiambo Washington

Hi Paul,

Care to share your config (even OFFLIST) that has successfully integrated
Dovecot Submission service with Exim??

I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this.

Thanks in advance.


On 6 April 2018 at 19:15, Paul Hecker  wrote:

> Hi,
>
> Thanks you very much. This did the trick!
>
> > On 6. Apr 2018, at 15:56, Stephan Bosch  wrote:
> >
> >
> >
> > Op 6-4-2018 om 13:52 schreef Paul Hecker:
> >> Hi,
> >>
> >> Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain)
> authentication to the SMTP server using submission. Reason why I need it is
> sender spoofing (do not want my employees to send messages in behalf of me).
> >>
> >> In exim I can disable sender spoofing with the authenticated user. When
> sending through dovecot, exim either does not accept the email (need auth)
> or relay every sender address (because relaying from localhost).
> >>
> >> Am I missing a setting or do I need any additional field in the (MySQL)
> user_query/password_query to forward the password?
> >>
> >> You can find my config here:
> >>
> >> https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8
> >
> > That would be possible using the following SMTP AUTH feature:
> >
> > https://tools.ietf.org/html/rfc4954#section-5
> >
> > Which is apparently supported by Exim: https://www.exim.org/exim-
> html-current/doc/html/spec_html/ch-smtp_authentication.
> html#SECTauthparamail
> > This requires explicit configuration, so it will not work out of the box.
>
> Here is what I did:
>
> I had to add the acl_smtp_mailauth to only allow this on a certain port.
> Then I had to duplicate my code for sender spoofing for authenticated users
> and change the $authenticated_id -> $authenticated_sender.
>
> Besides that, I must use TLS (in my case STARTTLS) so that Dovecot
> actually sends the MAIL AUTH parameter.
>
> >
> > The Dovecot Submission service should support this too. It sends an AUTH
> parameter with the MAIL command (currently only then the username is a
> valid SMTP address). However, I must say, I haven't tested this recently.
>
> I can confirm that it works (only with TLS with my current configuration,
> see above).
>
> >
> > I can try this in a few days. Feel free to experiment with this yourself.
> >
> > Regards,
> >
> > Stephan.
>
> Thanks again,
> Paul
>
>


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."

Re: Dovecot Submission Proxy Auth

2018-04-06 Thread Paul Hecker

Hi,

Thanks you very much. This did the trick!

> On 6. Apr 2018, at 15:56, Stephan Bosch  wrote:
> 
> 
> 
> Op 6-4-2018 om 13:52 schreef Paul Hecker:
>> Hi,
>> 
>> Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) 
>> authentication to the SMTP server using submission. Reason why I need it is 
>> sender spoofing (do not want my employees to send messages in behalf of me).
>> 
>> In exim I can disable sender spoofing with the authenticated user. When 
>> sending through dovecot, exim either does not accept the email (need auth) 
>> or relay every sender address (because relaying from localhost).
>> 
>> Am I missing a setting or do I need any additional field in the (MySQL) 
>> user_query/password_query to forward the password?
>> 
>> You can find my config here:
>> 
>> https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8
> 
> That would be possible using the following SMTP AUTH feature:
> 
> https://tools.ietf.org/html/rfc4954#section-5
> 
> Which is apparently supported by Exim: 
> https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html#SECTauthparamail
> This requires explicit configuration, so it will not work out of the box.

Here is what I did:

I had to add the acl_smtp_mailauth to only allow this on a certain port. Then I 
had to duplicate my code for sender spoofing for authenticated users and change 
the $authenticated_id -> $authenticated_sender.

Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually 
sends the MAIL AUTH parameter.

> 
> The Dovecot Submission service should support this too. It sends an AUTH 
> parameter with the MAIL command (currently only then the username is a valid 
> SMTP address). However, I must say, I haven't tested this recently.

I can confirm that it works (only with TLS with my current configuration, see 
above).

> 
> I can try this in a few days. Feel free to experiment with this yourself.
> 
> Regards,
> 
> Stephan.

Thanks again,
Paul



smime.p7s
Description: S/MIME cryptographic signature

Re: Dovecot Submission Proxy Auth

2018-04-06 Thread Stephan Bosch




Op 6-4-2018 om 13:52 schreef Paul Hecker:

Hi,

Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) 
authentication to the SMTP server using submission. Reason why I need it is 
sender spoofing (do not want my employees to send messages in behalf of me).

In exim I can disable sender spoofing with the authenticated user. When sending 
through dovecot, exim either does not accept the email (need auth) or relay 
every sender address (because relaying from localhost).

Am I missing a setting or do I need any additional field in the (MySQL) 
user_query/password_query to forward the password?

You can find my config here:

https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8


That would be possible using the following SMTP AUTH feature:

https://tools.ietf.org/html/rfc4954#section-5

Which is apparently supported by Exim: 
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html#SECTauthparamail

This requires explicit configuration, so it will not work out of the box.

The Dovecot Submission service should support this too. It sends an AUTH 
parameter with the MAIL command (currently only then the username is a 
valid SMTP address). However, I must say, I haven't tested this recently.


I can try this in a few days. Feel free to experiment with this yourself.

Regards,

Stephan.

Dovecot Submission Proxy Auth

2018-04-06 Thread Paul Hecker

Hi,

Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) 
authentication to the SMTP server using submission. Reason why I need it is 
sender spoofing (do not want my employees to send messages in behalf of me).

In exim I can disable sender spoofing with the authenticated user. When sending 
through dovecot, exim either does not accept the email (need auth) or relay 
every sender address (because relaying from localhost).

Am I missing a setting or do I need any additional field in the (MySQL) 
user_query/password_query to forward the password?

You can find my config here:

https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8

Thanks,
Paul





smime.p7s
Description: S/MIME cryptographic signature

Re: Dovecot Submission Proxy Auth

Re: Dovecot Submission Proxy Auth

Re: Dovecot Submission Proxy Auth

Re: Dovecot Submission Proxy Auth

Re: Dovecot Submission Proxy Auth

Re: Dovecot Submission Proxy Auth

Re: Dovecot Submission Proxy Auth

Re: Dovecot Submission Proxy Auth

Re: Dovecot Submission Proxy Auth

Re: Dovecot Submission Proxy Auth

Re: Dovecot Submission Proxy Auth

Re: Dovecot Submission Proxy Auth

Dovecot Submission Proxy Auth

13 matches

Site Navigation

Mail list logo

Footer information