Hi,> On 6. Apr 2018, at 18:58, Odhiambo Washington <odhiambo at gmail.com> wrote: > > Hi Paul, > > Care to share your config (even OFFLIST) that has successfully integrated Dovecot Submission service with Exim??here the steps I have done to integrate Dovecot submission in Exim: - Create and set the acl_smtp_mailauth ACL: acl_smtp_mailauth = acl_check_mailauth acl_check_mailauth: accept hosts = <; 127.0.0.1 ; ::1 condition = ${if eq{$interface_port}{10025}} log_message = Will accept MAIL AUTH parameter for $authenticated_sender deny - add a deny fo all connections to 10025 without MAIL AUTH parameter in acl_smtp_mail ACL: deny condition = ${if eq{$interface_port}{10025}} condition = ${if eq{$authenticated_sender}{}} message = All connections on port $interface_port need MAIL AUTH sender - in Dovecot, add the following submission parameters submission_relay_port = 10025 submission_relay_ssl = starttls submission_relay_ssl_verify = no All the remaining parts of the Dovecot config is the default for submission protocol/service, copied either from the sources (default config) or from here: https://wiki.dovecot.org/Submission Feel free is you have any further questions. Regards, Paul> > I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this. > > Thanks in advance. > > > On 6 April 2018 at 19:15, Paul Hecker <paul at iwascoding.com> wrote: > Hi, > > Thanks you very much. This did the trick! > > > On 6. Apr 2018, at 15:56, Stephan Bosch <stephan at rename-it.nl> wrote: > > > > > > > > Op 6-4-2018 om 13:52 schreef Paul Hecker: > >> Hi, > >> > >> Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) authentication to the SMTP server using submission. Reason why I need it is sender spoofing (do not want my employees to send messages in behalf of me). > >> > >> In exim I can disable sender spoofing with the authenticated user. When sending through dovecot, exim either does not accept the email (need auth) or relay every sender address (because relaying from localhost). > >> > >> Am I missing a setting or do I need any additional field in the (MySQL) user_query/password_query to forward the password? > >> > >> You can find my config here: > >> > >> https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8 > > > > That would be possible using the following SMTP AUTH feature: > > > > https://tools.ietf.org/html/rfc4954#section-5 > > > > Which is apparently supported by Exim: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html#SECTauthparamail > > This requires explicit configuration, so it will not work out of the box. > > Here is what I did: > > I had to add the acl_smtp_mailauth to only allow this on a certain port. Then I had to duplicate my code for sender spoofing for authenticated users and change the $authenticated_id -> $authenticated_sender. > > Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually sends the MAIL AUTH parameter. > > > > > The Dovecot Submission service should support this too. It sends an AUTH parameter with the MAIL command (currently only then the username is a valid SMTP address). However, I must say, I haven't tested this recently. > > I can confirm that it works (only with TLS with my current configuration, see above). > > > > > I can try this in a few days. Feel free to experiment with this yourself. > > > > Regards, > > > > Stephan. > > Thanks again, > Paul > > > > > -- > Best regards, > Odhiambo WASHINGTON, > Nairobi,KE > +254 7 3200 0004/+254 7 2274 3223 > "Oh, the cruft."-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4107 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot/attachments/20180406/2e9e06e1/attachment.p7s>
Hi, Anyone know how to enable this SMTP AUTH feature with Postfix? Regards, Jacky On 7/4/2018 3:40 AM, Paul Hecker wrote:> Hi, > >> On 6. Apr 2018, at 18:58, Odhiambo Washington <odhiambo at gmail.com> wrote: >> >> Hi Paul, >> >> Care to share your config (even OFFLIST) that has successfully integrated Dovecot Submission service with Exim?? > here the steps I have done to integrate Dovecot submission in Exim: > > - Create and set the acl_smtp_mailauth ACL: > > acl_smtp_mailauth = acl_check_mailauth > > acl_check_mailauth: > accept > hosts = <; 127.0.0.1 ; ::1 > condition = ${if eq{$interface_port}{10025}} > log_message = Will accept MAIL AUTH parameter for $authenticated_sender > > deny > > > - add a deny fo all connections to 10025 without MAIL AUTH parameter in acl_smtp_mail ACL: > > deny > condition = ${if eq{$interface_port}{10025}} > condition = ${if eq{$authenticated_sender}{}} > message = All connections on port $interface_port need MAIL AUTH sender > > - in Dovecot, add the following submission parameters > > submission_relay_port = 10025 > submission_relay_ssl = starttls > submission_relay_ssl_verify = no > > All the remaining parts of the Dovecot config is the default for submission protocol/service, copied either from the sources (default config) or from here: > > https://wiki.dovecot.org/Submission > > Feel free is you have any further questions. > > Regards, > Paul > > >> I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this. >> >> Thanks in advance. >> >> >> On 6 April 2018 at 19:15, Paul Hecker <paul at iwascoding.com> wrote: >> Hi, >> >> Thanks you very much. This did the trick! >> >>> On 6. Apr 2018, at 15:56, Stephan Bosch <stephan at rename-it.nl> wrote: >>> >>> >>> >>> Op 6-4-2018 om 13:52 schreef Paul Hecker: >>>> Hi, >>>> >>>> Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) authentication to the SMTP server using submission. Reason why I need it is sender spoofing (do not want my employees to send messages in behalf of me). >>>> >>>> In exim I can disable sender spoofing with the authenticated user. When sending through dovecot, exim either does not accept the email (need auth) or relay every sender address (because relaying from localhost). >>>> >>>> Am I missing a setting or do I need any additional field in the (MySQL) user_query/password_query to forward the password? >>>> >>>> You can find my config here: >>>> >>>> https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8 >>> That would be possible using the following SMTP AUTH feature: >>> >>> https://tools.ietf.org/html/rfc4954#section-5 >>> >>> Which is apparently supported by Exim: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html#SECTauthparamail >>> This requires explicit configuration, so it will not work out of the box. >> Here is what I did: >> >> I had to add the acl_smtp_mailauth to only allow this on a certain port. Then I had to duplicate my code for sender spoofing for authenticated users and change the $authenticated_id -> $authenticated_sender. >> >> Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually sends the MAIL AUTH parameter. >> >>> The Dovecot Submission service should support this too. It sends an AUTH parameter with the MAIL command (currently only then the username is a valid SMTP address). However, I must say, I haven't tested this recently. >> I can confirm that it works (only with TLS with my current configuration, see above). >> >>> I can try this in a few days. Feel free to experiment with this yourself. >>> >>> Regards, >>> >>> Stephan. >> Thanks again, >> Paul >> >> >> >> >> -- >> Best regards, >> Odhiambo WASHINGTON, >> Nairobi,KE >> +254 7 3200 0004/+254 7 2274 3223 >> "Oh, the cruft."
Hi Jacky, in postfix/main.cf you typically set something like smtpd_sasl_auth_enable=yes smtpd_sasl_type=cyrus smtpd_sasl_exceptions_networks=$mynetworks smtpd_sasl_security_options=noanonymous smtpd_sasl_authenticated_header=yes broken_sasl_auth_clients=yes smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination smtpd_recipient_restrictions might already exist in main.cf and in that case has to be extended postfix can verify login/passwords via sasl but it does not store these credentials, so you need to install saslauthd and add user/pass there or use a dovecot instance that already authenticates users for pop/imap. http://www.postfix.org/SASL_README.html https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL Best regards Gerald> Am 09.01.2019 um 10:15 schrieb Jacky <jacky at jesstech.com>: > > Hi, > > Anyone know how to enable this SMTP AUTH feature with Postfix? > > Regards, > > Jacky > > > On 7/4/2018 3:40 AM, Paul Hecker wrote: >> Hi, >> >>> On 6. Apr 2018, at 18:58, Odhiambo Washington <odhiambo at gmail.com> wrote: >>> >>> Hi Paul, >>> >>> Care to share your config (even OFFLIST) that has successfully integrated Dovecot Submission service with Exim?? >> here the steps I have done to integrate Dovecot submission in Exim: >> >> - Create and set the acl_smtp_mailauth ACL: >> >> acl_smtp_mailauth = acl_check_mailauth >> >> acl_check_mailauth: >> accept >> hosts = <; 127.0.0.1 ; ::1 >> condition = ${if eq{$interface_port}{10025}} >> log_message = Will accept MAIL AUTH parameter for $authenticated_sender >> deny >> >> >> - add a deny fo all connections to 10025 without MAIL AUTH parameter in acl_smtp_mail ACL: >> >> deny >> condition = ${if eq{$interface_port}{10025}} >> condition = ${if eq{$authenticated_sender}{}} >> message = All connections on port $interface_port need MAIL AUTH sender >> >> - in Dovecot, add the following submission parameters >> >> submission_relay_port = 10025 >> submission_relay_ssl = starttls >> submission_relay_ssl_verify = no >> >> All the remaining parts of the Dovecot config is the default for submission protocol/service, copied either from the sources (default config) or from here: >> >> https://wiki.dovecot.org/Submission >> >> Feel free is you have any further questions. >> >> Regards, >> Paul >> >> >>> I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this. >>> >>> Thanks in advance. >>> >>> >>> On 6 April 2018 at 19:15, Paul Hecker <paul at iwascoding.com> wrote: >>> Hi, >>> >>> Thanks you very much. This did the trick! >>> >>>> On 6. Apr 2018, at 15:56, Stephan Bosch <stephan at rename-it.nl> wrote: >>>> >>>> >>>> >>>> Op 6-4-2018 om 13:52 schreef Paul Hecker: >>>>> Hi, >>>>> >>>>> Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) authentication to the SMTP server using submission. Reason why I need it is sender spoofing (do not want my employees to send messages in behalf of me). >>>>> >>>>> In exim I can disable sender spoofing with the authenticated user. When sending through dovecot, exim either does not accept the email (need auth) or relay every sender address (because relaying from localhost). >>>>> >>>>> Am I missing a setting or do I need any additional field in the (MySQL) user_query/password_query to forward the password? >>>>> >>>>> You can find my config here: >>>>> >>>>> https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8 >>>> That would be possible using the following SMTP AUTH feature: >>>> >>>> https://tools.ietf.org/html/rfc4954#section-5 >>>> >>>> Which is apparently supported by Exim: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html#SECTauthparamail >>>> This requires explicit configuration, so it will not work out of the box. >>> Here is what I did: >>> >>> I had to add the acl_smtp_mailauth to only allow this on a certain port. Then I had to duplicate my code for sender spoofing for authenticated users and change the $authenticated_id -> $authenticated_sender. >>> >>> Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually sends the MAIL AUTH parameter. >>> >>>> The Dovecot Submission service should support this too. It sends an AUTH parameter with the MAIL command (currently only then the username is a valid SMTP address). However, I must say, I haven't tested this recently. >>> I can confirm that it works (only with TLS with my current configuration, see above). >>> >>>> I can try this in a few days. Feel free to experiment with this yourself. >>>> >>>> Regards, >>>> >>>> Stephan. >>> Thanks again, >>> Paul >>> >>> >>> >>> >>> -- >>> Best regards, >>> Odhiambo WASHINGTON, >>> Nairobi,KE >>> +254 7 3200 0004/+254 7 2274 3223 >>> "Oh, the cruft."