Hi Jacky, in postfix/main.cf you typically set something like smtpd_sasl_auth_enable=yes smtpd_sasl_type=cyrus smtpd_sasl_exceptions_networks=$mynetworks smtpd_sasl_security_options=noanonymous smtpd_sasl_authenticated_header=yes broken_sasl_auth_clients=yes smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination smtpd_recipient_restrictions might already exist in main.cf and in that case has to be extended postfix can verify login/passwords via sasl but it does not store these credentials, so you need to install saslauthd and add user/pass there or use a dovecot instance that already authenticates users for pop/imap. http://www.postfix.org/SASL_README.html https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL Best regards Gerald> Am 09.01.2019 um 10:15 schrieb Jacky <jacky at jesstech.com>: > > Hi, > > Anyone know how to enable this SMTP AUTH feature with Postfix? > > Regards, > > Jacky > > > On 7/4/2018 3:40 AM, Paul Hecker wrote: >> Hi, >> >>> On 6. Apr 2018, at 18:58, Odhiambo Washington <odhiambo at gmail.com> wrote: >>> >>> Hi Paul, >>> >>> Care to share your config (even OFFLIST) that has successfully integrated Dovecot Submission service with Exim?? >> here the steps I have done to integrate Dovecot submission in Exim: >> >> - Create and set the acl_smtp_mailauth ACL: >> >> acl_smtp_mailauth = acl_check_mailauth >> >> acl_check_mailauth: >> accept >> hosts = <; 127.0.0.1 ; ::1 >> condition = ${if eq{$interface_port}{10025}} >> log_message = Will accept MAIL AUTH parameter for $authenticated_sender >> deny >> >> >> - add a deny fo all connections to 10025 without MAIL AUTH parameter in acl_smtp_mail ACL: >> >> deny >> condition = ${if eq{$interface_port}{10025}} >> condition = ${if eq{$authenticated_sender}{}} >> message = All connections on port $interface_port need MAIL AUTH sender >> >> - in Dovecot, add the following submission parameters >> >> submission_relay_port = 10025 >> submission_relay_ssl = starttls >> submission_relay_ssl_verify = no >> >> All the remaining parts of the Dovecot config is the default for submission protocol/service, copied either from the sources (default config) or from here: >> >> https://wiki.dovecot.org/Submission >> >> Feel free is you have any further questions. >> >> Regards, >> Paul >> >> >>> I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this. >>> >>> Thanks in advance. >>> >>> >>> On 6 April 2018 at 19:15, Paul Hecker <paul at iwascoding.com> wrote: >>> Hi, >>> >>> Thanks you very much. This did the trick! >>> >>>> On 6. Apr 2018, at 15:56, Stephan Bosch <stephan at rename-it.nl> wrote: >>>> >>>> >>>> >>>> Op 6-4-2018 om 13:52 schreef Paul Hecker: >>>>> Hi, >>>>> >>>>> Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) authentication to the SMTP server using submission. Reason why I need it is sender spoofing (do not want my employees to send messages in behalf of me). >>>>> >>>>> In exim I can disable sender spoofing with the authenticated user. When sending through dovecot, exim either does not accept the email (need auth) or relay every sender address (because relaying from localhost). >>>>> >>>>> Am I missing a setting or do I need any additional field in the (MySQL) user_query/password_query to forward the password? >>>>> >>>>> You can find my config here: >>>>> >>>>> https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8 >>>> That would be possible using the following SMTP AUTH feature: >>>> >>>> https://tools.ietf.org/html/rfc4954#section-5 >>>> >>>> Which is apparently supported by Exim: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html#SECTauthparamail >>>> This requires explicit configuration, so it will not work out of the box. >>> Here is what I did: >>> >>> I had to add the acl_smtp_mailauth to only allow this on a certain port. Then I had to duplicate my code for sender spoofing for authenticated users and change the $authenticated_id -> $authenticated_sender. >>> >>> Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually sends the MAIL AUTH parameter. >>> >>>> The Dovecot Submission service should support this too. It sends an AUTH parameter with the MAIL command (currently only then the username is a valid SMTP address). However, I must say, I haven't tested this recently. >>> I can confirm that it works (only with TLS with my current configuration, see above). >>> >>>> I can try this in a few days. Feel free to experiment with this yourself. >>>> >>>> Regards, >>>> >>>> Stephan. >>> Thanks again, >>> Paul >>> >>> >>> >>> >>> -- >>> Best regards, >>> Odhiambo WASHINGTON, >>> Nairobi,KE >>> +254 7 3200 0004/+254 7 2274 3223 >>> "Oh, the cruft."
Hi Gerald, in my postfix/main.cf smtpd_sasl_authenticated_header = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname smtpd_sasl_type = dovecot smtpd_sasl_path = /var/run/dovecot/auth-client broken_sasl_auth_clients = yes I am already using dovecot for SASL The dovecot submission service authenticates users and already added the AUTH= parameter in the MAIL FROM MAIL FROM:<jacky at xxx.com> AUTH=jacky at xxx.com SIZE=1430 But, it seems that postfix does not accept the AUTH= parameter and reject the sender as no logged in. Best regards, Jacky On 9/1/2019 5:49 PM, Gerald Galster wrote:> Hi Jacky, > > in postfix/main.cf you typically set something like > > smtpd_sasl_auth_enable=yes > smtpd_sasl_type=cyrus > smtpd_sasl_exceptions_networks=$mynetworks > smtpd_sasl_security_options=noanonymous > smtpd_sasl_authenticated_header=yes > broken_sasl_auth_clients=yes > smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination > > smtpd_recipient_restrictions might already exist in main.cf and in that case has to be extended > > postfix can verify login/passwords via sasl but it does not store these credentials, so you need to install saslauthd and add user/pass there or use a dovecot instance that already authenticates users for pop/imap. > > http://www.postfix.org/SASL_README.html > https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL > > Best regards > Gerald > >> Am 09.01.2019 um 10:15 schrieb Jacky <jacky at jesstech.com>: >> >> Hi, >> >> Anyone know how to enable this SMTP AUTH feature with Postfix? >> >> Regards, >> >> Jacky >> >> >> On 7/4/2018 3:40 AM, Paul Hecker wrote: >>> Hi, >>> >>>> On 6. Apr 2018, at 18:58, Odhiambo Washington <odhiambo at gmail.com> wrote: >>>> >>>> Hi Paul, >>>> >>>> Care to share your config (even OFFLIST) that has successfully integrated Dovecot Submission service with Exim?? >>> here the steps I have done to integrate Dovecot submission in Exim: >>> >>> - Create and set the acl_smtp_mailauth ACL: >>> >>> acl_smtp_mailauth = acl_check_mailauth >>> >>> acl_check_mailauth: >>> accept >>> hosts = <; 127.0.0.1 ; ::1 >>> condition = ${if eq{$interface_port}{10025}} >>> log_message = Will accept MAIL AUTH parameter for $authenticated_sender >>> deny >>> >>> >>> - add a deny fo all connections to 10025 without MAIL AUTH parameter in acl_smtp_mail ACL: >>> >>> deny >>> condition = ${if eq{$interface_port}{10025}} >>> condition = ${if eq{$authenticated_sender}{}} >>> message = All connections on port $interface_port need MAIL AUTH sender >>> >>> - in Dovecot, add the following submission parameters >>> >>> submission_relay_port = 10025 >>> submission_relay_ssl = starttls >>> submission_relay_ssl_verify = no >>> >>> All the remaining parts of the Dovecot config is the default for submission protocol/service, copied either from the sources (default config) or from here: >>> >>> https://wiki.dovecot.org/Submission >>> >>> Feel free is you have any further questions. >>> >>> Regards, >>> Paul >>> >>> >>>> I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this. >>>> >>>> Thanks in advance. >>>> >>>> >>>> On 6 April 2018 at 19:15, Paul Hecker <paul at iwascoding.com> wrote: >>>> Hi, >>>> >>>> Thanks you very much. This did the trick! >>>> >>>>> On 6. Apr 2018, at 15:56, Stephan Bosch <stephan at rename-it.nl> wrote: >>>>> >>>>> >>>>> >>>>> Op 6-4-2018 om 13:52 schreef Paul Hecker: >>>>>> Hi, >>>>>> >>>>>> Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) authentication to the SMTP server using submission. Reason why I need it is sender spoofing (do not want my employees to send messages in behalf of me). >>>>>> >>>>>> In exim I can disable sender spoofing with the authenticated user. When sending through dovecot, exim either does not accept the email (need auth) or relay every sender address (because relaying from localhost). >>>>>> >>>>>> Am I missing a setting or do I need any additional field in the (MySQL) user_query/password_query to forward the password? >>>>>> >>>>>> You can find my config here: >>>>>> >>>>>> https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8 >>>>> That would be possible using the following SMTP AUTH feature: >>>>> >>>>> https://tools.ietf.org/html/rfc4954#section-5 >>>>> >>>>> Which is apparently supported by Exim: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html#SECTauthparamail >>>>> This requires explicit configuration, so it will not work out of the box. >>>> Here is what I did: >>>> >>>> I had to add the acl_smtp_mailauth to only allow this on a certain port. Then I had to duplicate my code for sender spoofing for authenticated users and change the $authenticated_id -> $authenticated_sender. >>>> >>>> Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually sends the MAIL AUTH parameter. >>>> >>>>> The Dovecot Submission service should support this too. It sends an AUTH parameter with the MAIL command (currently only then the username is a valid SMTP address). However, I must say, I haven't tested this recently. >>>> I can confirm that it works (only with TLS with my current configuration, see above). >>>> >>>>> I can try this in a few days. Feel free to experiment with this yourself. >>>>> >>>>> Regards, >>>>> >>>>> Stephan. >>>> Thanks again, >>>> Paul >>>> >>>> >>>> >>>> >>>> -- >>>> Best regards, >>>> Odhiambo WASHINGTON, >>>> Nairobi,KE >>>> +254 7 3200 0004/+254 7 2274 3223 >>>> "Oh, the cruft."
Hi Jacky, if postfix did not log a specific error to your maillog you could change smtpd to smtpd -v in master.cf to get more debug output or use debug_peer_list to see what smtp commands are sent: http://www.postfix.org/DEBUG_README.html Typically smtp auth looks like this: S: 220 smtp.example.com ESMTP server ready C: EHLO jgm.example.com S: 250-smtp.example.com S: 250 AUTH CRAM-MD5 DIGEST-MD5 C: AUTH FOOBAR S: 504 Unrecognized authentication type. or C: AUTH CRAM-MD5 S: 334 PENCeUxFREJoU0NnbmhNWitOMjNGNndAZWx3b29kLmlubm9zb2Z0LmNvbT4C: ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg2ZQ=S: 235 Authentication successful. C = client, S = server Depending on your setup the password (maybe base64 encoded) or hash must also be sent for verification. Or you could try to authenticate with a master user for all connections by setting submission_relay_master_user submission_relay_password in dovecot, see https://wiki.dovecot.org/Submission Best regards Gerald> Am 09.01.2019 um 11:08 schrieb Jacky <jacky at jesstech.com>: > > Hi Gerald, > > in my postfix/main.cf > > smtpd_sasl_authenticated_header = yes > smtpd_sasl_security_options = noanonymous > smtpd_sasl_local_domain = $myhostname > smtpd_sasl_type = dovecot > smtpd_sasl_path = /var/run/dovecot/auth-client > broken_sasl_auth_clients = yes > > I am already using dovecot for SASL > > The dovecot submission service authenticates users and already added the AUTH= parameter in the MAIL FROM > > MAIL FROM:<jacky at xxx.com> AUTH=jacky at xxx.com SIZE=1430 > > But, it seems that postfix does not accept the AUTH= parameter and reject the sender as no logged in. > > > Best regards, > > Jacky > > > > On 9/1/2019 5:49 PM, Gerald Galster wrote: >> Hi Jacky, >> >> in postfix/main.cf you typically set something like >> >> smtpd_sasl_auth_enable=yes >> smtpd_sasl_type=cyrus >> smtpd_sasl_exceptions_networks=$mynetworks >> smtpd_sasl_security_options=noanonymous >> smtpd_sasl_authenticated_header=yes >> broken_sasl_auth_clients=yes >> smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination >> >> smtpd_recipient_restrictions might already exist in main.cf and in that case has to be extended >> >> postfix can verify login/passwords via sasl but it does not store these credentials, so you need to install saslauthd and add user/pass there or use a dovecot instance that already authenticates users for pop/imap. >> >> http://www.postfix.org/SASL_README.html >> https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL >> >> Best regards >> Gerald >> >>> Am 09.01.2019 um 10:15 schrieb Jacky <jacky at jesstech.com>: >>> >>> Hi, >>> >>> Anyone know how to enable this SMTP AUTH feature with Postfix? >>> >>> Regards, >>> >>> Jacky >>> >>> >>> On 7/4/2018 3:40 AM, Paul Hecker wrote: >>>> Hi, >>>> >>>>> On 6. Apr 2018, at 18:58, Odhiambo Washington <odhiambo at gmail.com> wrote: >>>>> >>>>> Hi Paul, >>>>> >>>>> Care to share your config (even OFFLIST) that has successfully integrated Dovecot Submission service with Exim?? >>>> here the steps I have done to integrate Dovecot submission in Exim: >>>> >>>> - Create and set the acl_smtp_mailauth ACL: >>>> >>>> acl_smtp_mailauth = acl_check_mailauth >>>> >>>> acl_check_mailauth: >>>> accept >>>> hosts = <; 127.0.0.1 ; ::1 >>>> condition = ${if eq{$interface_port}{10025}} >>>> log_message = Will accept MAIL AUTH parameter for $authenticated_sender >>>> deny >>>> >>>> >>>> - add a deny fo all connections to 10025 without MAIL AUTH parameter in acl_smtp_mail ACL: >>>> >>>> deny >>>> condition = ${if eq{$interface_port}{10025}} >>>> condition = ${if eq{$authenticated_sender}{}} >>>> message = All connections on port $interface_port need MAIL AUTH sender >>>> >>>> - in Dovecot, add the following submission parameters >>>> >>>> submission_relay_port = 10025 >>>> submission_relay_ssl = starttls >>>> submission_relay_ssl_verify = no >>>> >>>> All the remaining parts of the Dovecot config is the default for submission protocol/service, copied either from the sources (default config) or from here: >>>> >>>> https://wiki.dovecot.org/Submission >>>> >>>> Feel free is you have any further questions. >>>> >>>> Regards, >>>> Paul >>>> >>>> >>>>> I use Exim+Dovecot (Exim4U) and wouldn't mind exploring this. >>>>> >>>>> Thanks in advance. >>>>> >>>>> >>>>> On 6 April 2018 at 19:15, Paul Hecker <paul at iwascoding.com> wrote: >>>>> Hi, >>>>> >>>>> Thanks you very much. This did the trick! >>>>> >>>>>> On 6. Apr 2018, at 15:56, Stephan Bosch <stephan at rename-it.nl> wrote: >>>>>> >>>>>> >>>>>> >>>>>> Op 6-4-2018 om 13:52 schreef Paul Hecker: >>>>>>> Hi, >>>>>>> >>>>>>> Dovecot 2.3.1 (8e2f634). Could not get Dovecot to forward the (plain) authentication to the SMTP server using submission. Reason why I need it is sender spoofing (do not want my employees to send messages in behalf of me). >>>>>>> >>>>>>> In exim I can disable sender spoofing with the authenticated user. When sending through dovecot, exim either does not accept the email (need auth) or relay every sender address (because relaying from localhost). >>>>>>> >>>>>>> Am I missing a setting or do I need any additional field in the (MySQL) user_query/password_query to forward the password? >>>>>>> >>>>>>> You can find my config here: >>>>>>> >>>>>>> https://gist.github.com/lluuaapp/7daddf761131da47237b0f45e6bab5a8 >>>>>> That would be possible using the following SMTP AUTH feature: >>>>>> >>>>>> https://tools.ietf.org/html/rfc4954#section-5 >>>>>> >>>>>> Which is apparently supported by Exim: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html#SECTauthparamail >>>>>> This requires explicit configuration, so it will not work out of the box. >>>>> Here is what I did: >>>>> >>>>> I had to add the acl_smtp_mailauth to only allow this on a certain port. Then I had to duplicate my code for sender spoofing for authenticated users and change the $authenticated_id -> $authenticated_sender. >>>>> >>>>> Besides that, I must use TLS (in my case STARTTLS) so that Dovecot actually sends the MAIL AUTH parameter. >>>>> >>>>>> The Dovecot Submission service should support this too. It sends an AUTH parameter with the MAIL command (currently only then the username is a valid SMTP address). However, I must say, I haven't tested this recently. >>>>> I can confirm that it works (only with TLS with my current configuration, see above). >>>>> >>>>>> I can try this in a few days. Feel free to experiment with this yourself. >>>>>> >>>>>> Regards, >>>>>> >>>>>> Stephan. >>>>> Thanks again, >>>>> Paul >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Best regards, >>>>> Odhiambo WASHINGTON, >>>>> Nairobi,KE >>>>> +254 7 3200 0004/+254 7 2274 3223 >>>>> "Oh, the cruft."
On Wed, 9 Jan 2019 at 13:09, Jacky <jacky at jesstech.com> wrote:> Hi Gerald, > > in my postfix/main.cf > > smtpd_sasl_authenticated_header = yes > smtpd_sasl_security_options = noanonymous > smtpd_sasl_local_domain = $myhostname > smtpd_sasl_type = dovecot > smtpd_sasl_path = /var/run/dovecot/auth-client > broken_sasl_auth_clients = yes > > I am already using dovecot for SASL > > The dovecot submission service authenticates users and already added the > AUTH= parameter in the MAIL FROM > > MAIL FROM:<jacky at xxx.com> AUTH=jacky at xxx.com SIZE=1430 > > But, it seems that postfix does not accept the AUTH= parameter and > reject the sender as no logged in. > > > Best regards, > > Jacky > >Hi Jacky, Your question belongs to postfix mailinng list. Anyway, the last time I was playing with postfix (I am an Exim user normally), I had to check that: smtpd_sasl_path = /var/run/dovecot/auth-client ..the socket is readable by the postfix user: So, check 10-master.conf for the socket. Something like: # Postfix smtp-auth unix_listener var/run/dovecot/auth-client { mode = 0666 } Restart dovecot and see... You can read the https://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", grep ^[^#] :-) -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20190109/97a484d2/attachment.html>