> On 03/11/2020 12:31 Piotr Auksztulewicz <d...@hasiok.net> wrote: > > > On Mon, Nov 02, 2020 at 09:33:08PM +0100, R. Diez wrote: > > OK, so I gather that the Submission Server cannot do that (yet). > > And probably would never do. It isn't its job description. > > Actually, it is just a convenience/workaround feature, which comes handy > only if your own MTA cannot handle dovecot's SASL authentication (must be > something real strange) or there are some integration/security/policy > issue perceived (but I cannot think of any, actually). In this case you > can set up dovecot's submission server, which uses dovecot's authentication > settings, so you have single source of authentication, and whitelist > dovecot IP address in your MTA so it accepts anything that dovecot's > submission server lets through. But I don't think it is a good idea > personally, it is more open to exploitation this way, unless the > address is 127.0.0.1, in which case you can simply set up SASL over > Unix sockets, which is as secure as your host server is. >
Submission service is not only a proxy, it - provides authentication natively from Dovecot - provides features like BURL, and maybe in future outbound Sieve but it does require real MTA behind. -- Aki