List, we're migrating to 2.2 from a 1.x version. There has been mention from time to time of a dovecot SMTP submission server. Last I saw was Timo suggesting this would be a 2.3 feature, but that there was already a 'basic' capability in 2.2 that, more or less, merely provided a secured/authorised SMTP submission. I haven't found anything about this in the wiki, but the feature is of interest to us. I would like to *not* have our MTA capable of being exploited as a relay (it isn't, at the moment) whereas users are logging into our dovecot from offsite using imaps with passwords. While moving to 2.2, I'd like to try to use a secure SMTP submission *separate* from the MTA so that that software, with whatever vulnerabilities or weaknesses it might have, remained locked down and could not relay, if at all possible. (Imaps with passwords means the login details are not transmitted in cleartext and, so, leak no security to an observer of the communications channel. Doubtless there are other weaknesses somewhere but, at least, when using hotel wifi, for example, there is little chance of revealing login details to a packet sniffer. It won't be perfect, there are probably other vulnerabilities, not least in the underlying OSs at each end, but the connection - which is a serious vulnerability in many places - will be as good as is practical to make it.) So, is there some kind of SMTP submission service for a logged in dovecot user, and how would a client make use of that? Is it possible to setup 2.2.15 for this? And, crucially, would the connections between the client (eg at a hotel in some unreliable location) be encrypted right from the start, not using STARTTLS, as is the case in imaps? And, just to be really demanding, could we configure its use on a non-standard port? regards, Ron
to make it short * dovecot is no MTA submission server * if you find a security issue in postfix running on 587 over TLS cry out loud * dovecot offers a SASL provider for postfix submission that's it and if you think that combination is not secure enough pull the network cables Am 16.11.2014 um 00:03 schrieb Ron Leach:> List, we're migrating to 2.2 from a 1.x version. There has been mention > from time to time of a dovecot SMTP submission server. Last I saw was > Timo suggesting this would be a 2.3 feature, but that there was already > a 'basic' capability in 2.2 that, more or less, merely provided a > secured/authorised SMTP submission. I haven't found anything about this > in the wiki, but the feature is of interest to us. I would like to > *not* have our MTA capable of being exploited as a relay (it isn't, at > the moment) whereas users are logging into our dovecot from offsite > using imaps with passwords. While moving to 2.2, I'd like to try to use > a secure SMTP submission *separate* from the MTA so that that software, > with whatever vulnerabilities or weaknesses it might have, remained > locked down and could not relay, if at all possible. > > (Imaps with passwords means the login details are not transmitted in > cleartext and, so, leak no security to an observer of the communications > channel. Doubtless there are other weaknesses somewhere but, at least, > when using hotel wifi, for example, there is little chance of revealing > login details to a packet sniffer. It won't be perfect, there are > probably other vulnerabilities, not least in the underlying OSs at each > end, but the connection - which is a serious vulnerability in many > places - will be as good as is practical to make it.) > > So, is there some kind of SMTP submission service for a logged in > dovecot user, and how would a client make use of that? Is it possible > to setup 2.2.15 for this? And, crucially, would the connections between > the client (eg at a hotel in some unreliable location) be encrypted > right from the start, not using STARTTLS, as is the case in imaps? And, > just to be really demanding, could we configure its use on a > non-standard port?-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20141116/65583cfa/attachment.sig>