Re: submission configuration issues
On 27/07/2019 23:13, Stephan Bosch via dovecot wrote: On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote: Hello, I'm having trouble configuring the submission proxy. I have configured the submission service as follow: submission_host = smtp.example.com submission_relay_host = localhost submission_relay_port = 8587 submission_relay_rawlog_dir = /var/log/dovecot/ submission_relay_trusted = yes My main issue is that until I login, dovecot-submission won't connect to the backend and query the capabilities and so won't report the right capabilities. That is true and expected. No connection to the relay server is made until the user is logged in. That mean that the first EHLO message don't get the right capabilities list. " EHLO example.com 250-smtp.example.com 250-8BITMIME 250-AUTH PLAIN LOGIN 250-BURL imap 250-CHUNKING 250-ENHANCEDSTATUSCODES 250-SIZE 250 PIPELINING " This list don't contains VRFY, DNS, and SIZE is not specified (all of these is present in backend EHLO response). After login, if I send an new EHLO command, everything is properly reported. The raw log shows that unlike what the documentation says, dovecot don't try to connect to the backend until the user is properly logged. Oh, then we need to adjust the documentation. This is normal behavior. In my raw log I show that after I logged in dovecot-submission, the later open a connection to the backend and send a X-CLIENT command. Now, if I try to force the capabilities by using: submission_backend_capabilities = VRFY 8BITMIME DSN dovecot properly reports all SMTP capabilities in the first EHLO response, but it completely stops emitting X-CLIENT command to the backend and try to simply forward the command without authentication, which result in postfix rejecting the command with an unauthorized user error. Yes, that is a bug. I have reproduced it here. We will look into it. Tracking this bug as DOP-1323. Regards, Stephan.
Re: submission configuration issues
My configuration has 2 listeners. The default one (submission) on port 587
(which does not appear on "dovecot -n » output as it is the default)
And a second one on port 465 that is configured to use submission over TLS
(note the ssl = yes in the configuration and the ’s’ at the end of the name:
submissions )
According to RFC8314 (https://tools.ietf.org/html/rfc8314), this is now the
recommended setting:
« In brief, this memo now recommends that:
…
o Connections to Mail Submission Servers and Mail Access Servers be
made using "Implicit TLS" (as defined below), in preference to
connecting to the "cleartext" port and negotiating TLS using the
STARTTLS command or a similar command.
»
> Le 27 juil. 2019 à 22:39, Bob Gustafson via dovecot a
> écrit :
>
> service submission-login {
> inet_listener submissions {
> haproxy = no
> port = 465
> reuse_port = no
> ssl = yes
> }
> }
>
> Shouldn't the port be 587 here?
>
> My config file looks like:
>
> service submission-login {
> inet_listener submission {
> #port = 587
> }
> }
>
> The # comment must also mean something..
>
> On 7/27/19 3:21 PM, Jean-Daniel via dovecot wrote:
>>
>>
>>> Le 27 juil. 2019 à 14:30, Stephan Bosch a écrit :
>>>
>>> On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:
Hello,
I'm having trouble configuring the submission proxy.
I have configured the submission service as follow:
submission_host = smtp.example.com
submission_relay_host = localhost
submission_relay_port = 8587
>>
>>
>>> Le 27 juil. 2019 à 14:30, Stephan Bosch a écrit :
>>>
>>> On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:
Hello,
I'm having trouble configuring the submission proxy.
I have configured the submission service as follow:
submission_host = smtp.example.com
submission_relay_host = localhost
submission_relay_port = 8587
submission_relay_rawlog_dir = /var/log/dovecot/
submission_relay_trusted = yes
My main issue is that until I login, dovecot-submission won't connect to
the backend and query the capabilities and so won't report the right
capabilities.
That mean that the first EHLO message don't get the right capabilities
list.
"
EHLO example.com
250-smtp.example.com
250-8BITMIME
250-AUTH PLAIN LOGIN
250-BURL imap
250-CHUNKING
250-ENHANCEDSTATUSCODES
250-SIZE
250 PIPELINING
"
This list don't contains VRFY, DNS, and SIZE is not specified (all of
these is present in backend EHLO response).
After login, if I send an new EHLO command, everything is properly
reported. The raw log shows that unlike what the documentation says,
dovecot don't try to connect to the backend until the user is properly
logged.
In my raw log I show that after I logged in dovecot-submission, the later
open a connection to the backend and send a X-CLIENT command.
Now, if I try to force the capabilities by using:
submission_backend_capabilities = VRFY 8BITMIME DSN
dovecot properly reports all SMTP capabilities in the first EHLO response,
but it completely stops emitting X-CLIENT command to the backend
and try to simply forward the command without authentication, which result
in postfix rejecting the command with an unauthorized user error.
What is wrong with my configuration ?
Thanks.
>>>
>>> Can you send us your complete configuration (output from `dovecot -n`)?
>>
>> Yes (see below).
>>
>> Some additional information:
>>
>> ===
>>
>> When I connect directly to dovecot-submission using nc and send an EHLO
>> command, I got the following result (the SIZE is configured in dovecot
>> config, that’s why it is properly announced), but no raw_log are generated
>> at all.
>>
>> $ nc smtp.example.com 587
>>
>> 220 smtp.example.com Dovecot ready.
>> EHLO mydomain.com
>> 250-smtp.example.com
>> 250-8BITMIME
>> 250-AUTH
>> 250-BURL imap
>> 250-CHUNKING
>> 250-ENHANCEDSTATUSCODES
>> 250-SIZE 41943040
>> 250-STARTTLS
>> 250 PIPELINING
>> QUIT
>> 221 2.0.0 Bye
>>
>> ===
>>
>> Ditto if I use openssl s_client -starttls smtp -crlf -connect
>> smtp.example.com:587 and send the EHLO after STARTTLS.
>>
>> ===
>>
>> For the record, here is the result of a direct connect to postfix:
>>
>> $ nc 127.0.0.1 8587
>> 220 smtp.example.com ESMTP Postfix
>> EHLO example.com
>> 250-smtp.example.com
>> 250-PIPELINING
>> 250-SIZE 41943040
>> 250-VRFY
>> 250-ETRN
>> 250-STARTTLS
>> 250-AUTH PLAIN LOGIN
>> 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT
>> 250-ENHANCEDSTATUSCODES
>> 250-8BITMIME
>> 250-DSN
>> 250 SMTPUTF8
>>
>> ===
>>
>> And here is the content of the row logs when a mail is sent.
>>
>>
Re: submission configuration issues
service submission-login {
inet_listener submissions {
haproxy = no
port = 465
reuse_port = no
ssl = yes
}
}
Shouldn't the port be 587 here?
My config file looks like:
service submission-login {
inet_listener submission {
#port = 587
}
}
The # comment must also mean something..
On 7/27/19 3:21 PM, Jean-Daniel via dovecot wrote:
Le 27 juil. 2019 à 14:30, Stephan Bosch > a écrit :
On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:
Hello,
I'm having trouble configuring the submission proxy.
I have configured the submission service as follow:
submission_host = smtp.example.com
submission_relay_host = localhost
submission_relay_port = 8587
Le 27 juil. 2019 à 14:30, Stephan Bosch > a écrit :
On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:
Hello,
I'm having trouble configuring the submission proxy.
I have configured the submission service as follow:
submission_host = smtp.example.com
submission_relay_host = localhost
submission_relay_port = 8587
submission_relay_rawlog_dir = /var/log/dovecot/
submission_relay_trusted = yes
My main issue is that until I login, dovecot-submission won't
connect to the backend and query the capabilities and so won't
report the right capabilities.
That mean that the first EHLO message don't get the right
capabilities list.
"
EHLO example.com
250-smtp.example.com
250-8BITMIME
250-AUTH PLAIN LOGIN
250-BURL imap
250-CHUNKING
250-ENHANCEDSTATUSCODES
250-SIZE
250 PIPELINING
"
This list don't contains VRFY, DNS, and SIZE is not specified (all
of these is present in backend EHLO response).
After login, if I send an new EHLO command, everything is properly
reported. The raw log shows that unlike what the documentation says,
dovecot don't try to connect to the backend until the user is
properly logged.
In my raw log I show that after I logged in dovecot-submission, the
later open a connection to the backend and send a X-CLIENT command.
Now, if I try to force the capabilities by using:
submission_backend_capabilities = VRFY 8BITMIME DSN
dovecot properly reports all SMTP capabilities in the first EHLO
response, but it completely stops emitting X-CLIENT command to the
backend
and try to simply forward the command without authentication, which
result in postfix rejecting the command with an unauthorized user error.
What is wrong with my configuration ?
Thanks.
Can you send us your complete configuration (output from `dovecot -n`)?
Yes (see below).
Some additional information:
===
When I connect directly to dovecot-submission using nc and send an
EHLO command, I got the following result (the SIZE is configured in
dovecot config, that’s why it is properly announced), but no raw_log
are generated at all.
$ nc smtp.example.com 587
220 smtp.example.com Dovecot ready.
EHLO mydomain.com
250-smtp.example.com
250-8BITMIME
250-AUTH
250-BURL imap
250-CHUNKING
250-ENHANCEDSTATUSCODES
250-SIZE 41943040
250-STARTTLS
250 PIPELINING
QUIT
221 2.0.0 Bye
===
Ditto if I use openssl s_client -starttls smtp -crlf -connect
smtp.example.com:587 and send the EHLO
after STARTTLS.
===
For the record, here is the result of a direct connect to postfix:
$ nc 127.0.0.1 8587
220 smtp.example.com ESMTP Postfix
EHLO example.com
250-smtp.example.com
250-PIPELINING
250-SIZE 41943040
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
===
And here is the content of the row logs when a mail is sent.
rawlog.in
1564258521.813430 220 smtp.example.com ESMTP
Postfix
1564258521.814206 250-smtp.example.com
1564258521.814206 250-PIPELINING
1564258521.814206 250-SIZE 41943040
1564258521.814206 250-VRFY
1564258521.814206 250-ETRN
1564258521.814206 250-STARTTLS
1564258521.814206 250-AUTH PLAIN LOGIN
1564258521.814206 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT
LOGIN DESTADDR DESTPORT
1564258521.814206 250-ENHANCEDSTATUSCODES
1564258521.814206 250-8BITMIME
1564258521.814206 250-DSN
1564258521.814206 250 SMTPUTF8
1564258521.848159 220 smtp.example.com ESMTP
Postfix
1564258521.849506 250-smtp.example.com
1564258521.849506 250-PIPELINING
1564258521.849506 250-SIZE 41943040
1564258521.849506 250-VRFY
1564258521.849506 250-ETRN
1564258521.849506 250-STARTTLS
1564258521.849506 250-AUTH PLAIN LOGIN
1564258521.849506 250-XCLIENT NAME ADDR
Re: submission configuration issues
> Le 27 juil. 2019 à 23:13, Stephan Bosch a écrit : > > > > On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote: >> Hello, >> >> I'm having trouble configuring the submission proxy. >> >> I have configured the submission service as follow: >> >> submission_host = smtp.example.com >> submission_relay_host = localhost >> submission_relay_port = 8587 >> submission_relay_rawlog_dir = /var/log/dovecot/ >> submission_relay_trusted = yes >> >> My main issue is that until I login, dovecot-submission won't connect to the >> backend and query the capabilities and so won't report the right >> capabilities. > > That is true and expected. No connection to the relay server is made until > the user is logged in. > >> That mean that the first EHLO message don't get the right capabilities list. >> >> " >> EHLO example.com >> >> 250-smtp.example.com >> 250-8BITMIME >> 250-AUTH PLAIN LOGIN >> 250-BURL imap >> 250-CHUNKING >> 250-ENHANCEDSTATUSCODES >> 250-SIZE >> 250 PIPELINING >> " >> >> This list don't contains VRFY, DNS, and SIZE is not specified (all of these >> is present in backend EHLO response). >> After login, if I send an new EHLO command, everything is properly reported. >> The raw log shows that unlike what the documentation says, >> dovecot don't try to connect to the backend until the user is properly >> logged. > Oh, then we need to adjust the documentation. This is normal behavior. This is in the default 20-submission.conf file: # By default, the submission service first connects to the relay server to # determine the support for such capabilities before sending the initial EHLO # reply to the client. If the list of capabilities returned by the relay server # is somehow unreliable or it is undesirable to start the connection to the # relay server before the first mail transaction is started, the backend # capabilities can be configured explicitly using the # submission_backend_capabilities setting. … #submission_backend_capabilities =
Re: submission configuration issues
On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote: Hello, I'm having trouble configuring the submission proxy. I have configured the submission service as follow: submission_host = smtp.example.com submission_relay_host = localhost submission_relay_port = 8587 submission_relay_rawlog_dir = /var/log/dovecot/ submission_relay_trusted = yes My main issue is that until I login, dovecot-submission won't connect to the backend and query the capabilities and so won't report the right capabilities. That is true and expected. No connection to the relay server is made until the user is logged in. That mean that the first EHLO message don't get the right capabilities list. " EHLO example.com 250-smtp.example.com 250-8BITMIME 250-AUTH PLAIN LOGIN 250-BURL imap 250-CHUNKING 250-ENHANCEDSTATUSCODES 250-SIZE 250 PIPELINING " This list don't contains VRFY, DNS, and SIZE is not specified (all of these is present in backend EHLO response). After login, if I send an new EHLO command, everything is properly reported. The raw log shows that unlike what the documentation says, dovecot don't try to connect to the backend until the user is properly logged. Oh, then we need to adjust the documentation. This is normal behavior. In my raw log I show that after I logged in dovecot-submission, the later open a connection to the backend and send a X-CLIENT command. Now, if I try to force the capabilities by using: submission_backend_capabilities = VRFY 8BITMIME DSN dovecot properly reports all SMTP capabilities in the first EHLO response, but it completely stops emitting X-CLIENT command to the backend and try to simply forward the command without authentication, which result in postfix rejecting the command with an unauthorized user error. Yes, that is a bug. I have reproduced it here. We will look into it. Regards, Stephan.
Re: submission configuration issues
> Le 27 juil. 2019 à 14:30, Stephan Bosch a écrit : > > On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote: >> Hello, >> >> I'm having trouble configuring the submission proxy. >> >> I have configured the submission service as follow: >> >> submission_host = smtp.example.com >> submission_relay_host = localhost >> submission_relay_port = 8587 > Le 27 juil. 2019 à 14:30, Stephan Bosch a écrit : > > On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote: >> Hello, >> >> I'm having trouble configuring the submission proxy. >> >> I have configured the submission service as follow: >> >> submission_host = smtp.example.com >> submission_relay_host = localhost >> submission_relay_port = 8587 >> submission_relay_rawlog_dir = /var/log/dovecot/ >> submission_relay_trusted = yes >> >> My main issue is that until I login, dovecot-submission won't connect to the >> backend and query the capabilities and so won't report the right >> capabilities. >> >> That mean that the first EHLO message don't get the right capabilities list. >> >> " >> EHLO example.com >> >> 250-smtp.example.com >> 250-8BITMIME >> 250-AUTH PLAIN LOGIN >> 250-BURL imap >> 250-CHUNKING >> 250-ENHANCEDSTATUSCODES >> 250-SIZE >> 250 PIPELINING >> " >> >> This list don't contains VRFY, DNS, and SIZE is not specified (all of these >> is present in backend EHLO response). >> After login, if I send an new EHLO command, everything is properly reported. >> The raw log shows that unlike what the documentation says, >> dovecot don't try to connect to the backend until the user is properly >> logged. >> >> In my raw log I show that after I logged in dovecot-submission, the later >> open a connection to the backend and send a X-CLIENT command. >> >> >> Now, if I try to force the capabilities by using: >> >> submission_backend_capabilities = VRFY 8BITMIME DSN >> >> dovecot properly reports all SMTP capabilities in the first EHLO response, >> but it completely stops emitting X-CLIENT command to the backend >> and try to simply forward the command without authentication, which result >> in postfix rejecting the command with an unauthorized user error. >> >> What is wrong with my configuration ? >> Thanks. > > Can you send us your complete configuration (output from `dovecot -n`)? Yes (see below). Some additional information: === When I connect directly to dovecot-submission using nc and send an EHLO command, I got the following result (the SIZE is configured in dovecot config, that’s why it is properly announced), but no raw_log are generated at all. $ nc smtp.example.com 587 220 smtp.example.com Dovecot ready. EHLO mydomain.com 250-smtp.example.com 250-8BITMIME 250-AUTH 250-BURL imap 250-CHUNKING 250-ENHANCEDSTATUSCODES 250-SIZE 41943040 250-STARTTLS 250 PIPELINING QUIT 221 2.0.0 Bye === Ditto if I use openssl s_client -starttls smtp -crlf -connect smtp.example.com:587 and send the EHLO after STARTTLS. === For the record, here is the result of a direct connect to postfix: $ nc 127.0.0.1 8587 220 smtp.example.com ESMTP Postfix EHLO example.com 250-smtp.example.com 250-PIPELINING 250-SIZE 41943040 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 SMTPUTF8 === And here is the content of the row logs when a mail is sent. rawlog.in 1564258521.813430 220 smtp.example.com ESMTP Postfix 1564258521.814206 250-smtp.example.com 1564258521.814206 250-PIPELINING 1564258521.814206 250-SIZE 41943040 1564258521.814206 250-VRFY 1564258521.814206 250-ETRN 1564258521.814206 250-STARTTLS 1564258521.814206 250-AUTH PLAIN LOGIN 1564258521.814206 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT 1564258521.814206 250-ENHANCEDSTATUSCODES 1564258521.814206 250-8BITMIME 1564258521.814206 250-DSN 1564258521.814206 250 SMTPUTF8 1564258521.848159 220 smtp.example.com ESMTP Postfix 1564258521.849506 250-smtp.example.com 1564258521.849506 250-PIPELINING 1564258521.849506 250-SIZE 41943040 1564258521.849506 250-VRFY 1564258521.849506 250-ETRN 1564258521.849506 250-STARTTLS 1564258521.849506 250-AUTH PLAIN LOGIN 1564258521.849506 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT 1564258521.849506 250-ENHANCEDSTATUSCODES 1564258521.849506 250-8BITMIME 1564258521.849506 250-DSN 1564258521.849506 250 SMTPUTF8 1564258521.854093 250 2.1.0 Ok 1564258521.909487 250 2.1.5 Ok 1564258521.983093 354 End data with . 1564258522.115312 250 2.0.0 Ok: queued as DDBCCD53B rawlog.out 1564258521.813739 EHLO smtp.example.com 1564258521.846054 XCLIENT HELO=[10.188.153.106] PROTO=ESMTP LOGIN=info PORT=47564 ADDR=46.193.33.66 1564258521.848701 EHLO smtp.example.com 1564258521.850122 MAIL FROM: AUTH=info 1564258521.889896 RCPT TO: 1564258521.981094 DATA 1564258521.983757 Received: from [10.188.153.106] ([46.193.33.66])
Re: submission configuration issues
On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote: Hello, I'm having trouble configuring the submission proxy. I have configured the submission service as follow: submission_host = smtp.example.com submission_relay_host = localhost submission_relay_port = 8587 submission_relay_rawlog_dir = /var/log/dovecot/ submission_relay_trusted = yes My main issue is that until I login, dovecot-submission won't connect to the backend and query the capabilities and so won't report the right capabilities. That mean that the first EHLO message don't get the right capabilities list. " EHLO example.com 250-smtp.example.com 250-8BITMIME 250-AUTH PLAIN LOGIN 250-BURL imap 250-CHUNKING 250-ENHANCEDSTATUSCODES 250-SIZE 250 PIPELINING " This list don't contains VRFY, DNS, and SIZE is not specified (all of these is present in backend EHLO response). After login, if I send an new EHLO command, everything is properly reported. The raw log shows that unlike what the documentation says, dovecot don't try to connect to the backend until the user is properly logged. In my raw log I show that after I logged in dovecot-submission, the later open a connection to the backend and send a X-CLIENT command. Now, if I try to force the capabilities by using: submission_backend_capabilities = VRFY 8BITMIME DSN dovecot properly reports all SMTP capabilities in the first EHLO response, but it completely stops emitting X-CLIENT command to the backend and try to simply forward the command without authentication, which result in postfix rejecting the command with an unauthorized user error. What is wrong with my configuration ? Thanks. Can you send us your complete configuration (output from `dovecot -n`)? Regards, Stephan.
submission configuration issues
Hello, I'm having trouble configuring the submission proxy. I have configured the submission service as follow: submission_host = smtp.example.com submission_relay_host = localhost submission_relay_port = 8587 submission_relay_rawlog_dir = /var/log/dovecot/ submission_relay_trusted = yes My main issue is that until I login, dovecot-submission won't connect to the backend and query the capabilities and so won't report the right capabilities. That mean that the first EHLO message don't get the right capabilities list. " EHLO example.com 250-smtp.example.com 250-8BITMIME 250-AUTH PLAIN LOGIN 250-BURL imap 250-CHUNKING 250-ENHANCEDSTATUSCODES 250-SIZE 250 PIPELINING " This list don't contains VRFY, DNS, and SIZE is not specified (all of these is present in backend EHLO response). After login, if I send an new EHLO command, everything is properly reported. The raw log shows that unlike what the documentation says, dovecot don't try to connect to the backend until the user is properly logged. In my raw log I show that after I logged in dovecot-submission, the later open a connection to the backend and send a X-CLIENT command. Now, if I try to force the capabilities by using: submission_backend_capabilities = VRFY 8BITMIME DSN dovecot properly reports all SMTP capabilities in the first EHLO response, but it completely stops emitting X-CLIENT command to the backend and try to simply forward the command without authentication, which result in postfix rejecting the command with an unauthorized user error. What is wrong with my configuration ? Thanks. Jean-Daniel
