> Le 27 juil. 2019 ? 14:30, Stephan Bosch <stephan at rename-it.nl> a
?crit :
>
> On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:
>> Hello,
>>
>> I'm having trouble configuring the submission proxy.
>>
>> I have configured the submission service as follow:
>>
>> submission_host = smtp.example.com
>> submission_relay_host = localhost
>> submission_relay_port = 8587
> Le 27 juil. 2019 ? 14:30, Stephan Bosch <stephan at rename-it.nl> a
?crit :
>
> On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote:
>> Hello,
>>
>> I'm having trouble configuring the submission proxy.
>>
>> I have configured the submission service as follow:
>>
>> submission_host = smtp.example.com
>> submission_relay_host = localhost
>> submission_relay_port = 8587
>> submission_relay_rawlog_dir = /var/log/dovecot/
>> submission_relay_trusted = yes
>>
>> My main issue is that until I login, dovecot-submission won't
connect to the backend and query the capabilities and so won't report the
right capabilities.
>>
>> That mean that the first EHLO message don't get the right
capabilities list.
>>
>> "
>> EHLO example.com
>>
>> 250-smtp.example.com
>> 250-8BITMIME
>> 250-AUTH PLAIN LOGIN
>> 250-BURL imap
>> 250-CHUNKING
>> 250-ENHANCEDSTATUSCODES
>> 250-SIZE
>> 250 PIPELINING
>> "
>>
>> This list don't contains VRFY, DNS, and SIZE is not specified (all
of these is present in backend EHLO response).
>> After login, if I send an new EHLO command, everything is properly
reported. The raw log shows that unlike what the documentation says,
>> dovecot don't try to connect to the backend until the user is
properly logged.
>>
>> In my raw log I show that after I logged in dovecot-submission, the
later open a connection to the backend and send a X-CLIENT command.
>>
>>
>> Now, if I try to force the capabilities by using:
>>
>> submission_backend_capabilities = VRFY 8BITMIME DSN
>>
>> dovecot properly reports all SMTP capabilities in the first EHLO
response, but it completely stops emitting X-CLIENT command to the backend
>> and try to simply forward the command without authentication, which
result in postfix rejecting the command with an unauthorized user error.
>>
>> What is wrong with my configuration ?
>> Thanks.
>
> Can you send us your complete configuration (output from `dovecot -n`)?
Yes (see below).
Some additional information:
==============
When I connect directly to dovecot-submission using nc and send an EHLO command,
I got the following result (the SIZE is configured in dovecot config, that?s why
it is properly announced), but no raw_log are generated at all.
$ nc smtp.example.com 587
220 smtp.example.com Dovecot ready.
EHLO mydomain.com
250-smtp.example.com
250-8BITMIME
250-AUTH
250-BURL imap
250-CHUNKING
250-ENHANCEDSTATUSCODES
250-SIZE 41943040
250-STARTTLS
250 PIPELINING
QUIT
221 2.0.0 Bye
==============
Ditto if I use openssl s_client -starttls smtp -crlf -connect
smtp.example.com:587 and send the EHLO after STARTTLS.
==============
For the record, here is the result of a direct connect to postfix:
$ nc 127.0.0.1 8587
220 smtp.example.com ESMTP Postfix
EHLO example.com
250-smtp.example.com
250-PIPELINING
250-SIZE 41943040
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
==============
And here is the content of the row logs when a mail is sent.
======== rawlog.in
1564258521.813430 220 smtp.example.com ESMTP Postfix
1564258521.814206 250-smtp.example.com
1564258521.814206 250-PIPELINING
1564258521.814206 250-SIZE 41943040
1564258521.814206 250-VRFY
1564258521.814206 250-ETRN
1564258521.814206 250-STARTTLS
1564258521.814206 250-AUTH PLAIN LOGIN
1564258521.814206 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN
DESTADDR DESTPORT
1564258521.814206 250-ENHANCEDSTATUSCODES
1564258521.814206 250-8BITMIME
1564258521.814206 250-DSN
1564258521.814206 250 SMTPUTF8
1564258521.848159 220 smtp.example.com ESMTP Postfix
1564258521.849506 250-smtp.example.com
1564258521.849506 250-PIPELINING
1564258521.849506 250-SIZE 41943040
1564258521.849506 250-VRFY
1564258521.849506 250-ETRN
1564258521.849506 250-STARTTLS
1564258521.849506 250-AUTH PLAIN LOGIN
1564258521.849506 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN
DESTADDR DESTPORT
1564258521.849506 250-ENHANCEDSTATUSCODES
1564258521.849506 250-8BITMIME
1564258521.849506 250-DSN
1564258521.849506 250 SMTPUTF8
1564258521.854093 250 2.1.0 Ok
1564258521.909487 250 2.1.5 Ok
1564258521.983093 354 End data with <CR><LF>.<CR><LF>
1564258522.115312 250 2.0.0 Ok: queued as DDBCCD53B
======== rawlog.out
1564258521.813739 EHLO smtp.example.com
1564258521.846054 XCLIENT HELO=[10.188.153.106] PROTO=ESMTP LOGIN=info
PORT=47564 ADDR=46.193.33.66
1564258521.848701 EHLO smtp.example.com
1564258521.850122 MAIL FROM:<service at example.com> AUTH=info
1564258521.889896 RCPT TO:<jddupas at xooloo.com>
1564258521.981094 DATA
1564258521.983757 Received: from [10.188.153.106] ([46.193.33.66])
1564258521.983757 by smtp.example.com with ESMTPSA
1564258521.983757 id cSDvMtmwPF14TAAABU9jsA
1564258521.983757 (envelope-from <service at example.com>)
1564258521.983757 for <jddupas at xooloo.com>; Sat, 27 Jul 2019 22:15:21
+0200
1564258521.984065 From: Jean-Daniel Dupas <service at example.com>
1564258521.984065 Content-Type: text/plain
1564258521.984065 Content-Transfer-Encoding: 7bit
1564258521.984065 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
1564258521.984065 Subject: Send test
1564258521.984065 Message-Id: <827EAD17-6C27-4BDF-AD94-F106E37745C1 at
example.com>
1564258521.984065 Date: Sat, 27 Jul 2019 22:15:19 +0200
1564258521.984065 To: Jean-Daniel Dupas <jddupas at xooloo.com>
1564258521.984065 X-Mailer: Apple Mail (2.3445.104.11)
1564258521.984065
1564258521.984280 .
1564258543.105429 QUIT
================== doveconf -n
# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.7.1 (db5c74be)
# OS: Linux 4.15.0-55-generic x86_64 Ubuntu 18.04.2 LTS
# Hostname: example.com
auth_mechanisms = plain login
auth_verbose = yes
hostname = smtp.example.com
imap_hibernate_timeout = 1 mins
mail_attribute_dict = file:%h/metadata
mail_gid = vmail
mail_location = mdbox:~/mail
mail_plugins = fts fts_xapian
mail_server_admin = mailto:sysadmin at example.com
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy
include variables body enotify environment mailbox date index ihave duplicate
mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve
namespace inbox {
inbox = yes
location =
mailbox Archive {
auto = subscribe
special_use = \Archive
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
separator = /
}
passdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
plugin {
fts = xapian
fts_autoindex = yes
fts_autoindex_exclude = \Junk
fts_autoindex_exclude2 = \Trash
fts_enforced = yes
fts_languages = fr en
fts_xapian = partial=2 full=20
imapsieve_mailbox1_before = file:/var/lib/vmail/imapsieve/learn-spam.sieve
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_name = Junk
imapsieve_mailbox2_before = file:/var/lib/vmail/imapsieve/learn-ham.sieve
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_from = Junk
imapsieve_mailbox2_name = *
imapsieve_mailbox3_before = file:/var/lib/vmail/imapsieve/unflag.sieve
imapsieve_mailbox3_causes = COPY
imapsieve_mailbox3_name = Trash
plugin = fts fts_xapian
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_after = /var/lib/vmail/sieve-after
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
sieve_pipe_bin_dir = /var/lib/vmail/sieve-pipe
sieve_plugins = sieve_imapsieve sieve_extprograms
}
postmaster_address =
protocols = " imap lmtp sieve submission"
recipient_delimiter = -
service auth-worker {
user = $default_internal_user
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0600
user = postfix
}
}
service doveadm {
vsz_limit = 1 G
}
service imap-hibernate {
unix_listener imap-hibernate {
group = vmail
mode = 0660
}
user = vmail
}
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
}
process_min_avail = 2
}
service imap {
unix_listener imap-master {
user = vmail
}
}
service indexer-worker {
vsz_limit = 1 G
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service managesieve-login {
inet_listener sieve {
address = localhost
}
}
service submission-login {
inet_listener submissions {
haproxy = no
port = 465
reuse_port = no
ssl = yes
}
}
ssl_alt_cert = </var/lib/acme/imap.example.com/rsa/cert.pem
ssl_alt_key = # hidden, use -P to show it
ssl_cert = </var/lib/acme/imap.example.com/ecdsa/cert.pem
ssl_cipher_list =
TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_min_protocol = TLSv1.1
ssl_prefer_server_ciphers = yes
submission_host = smtp.example.com
submission_max_mail_size = 40 M
submission_relay_host = localhost
submission_relay_port = 8587
submission_relay_trusted = yes
userdb {
driver = prefetch
}
userdb {
args = /etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
protocol lmtp {
mail_plugins = fts fts_xapian sieve
}
protocol imap {
imap_metadata = yes
mail_max_userip_connections = 25
mail_plugins = fts fts_xapian imap_zlib imap_sieve
namespace inbox {
location =
mailbox Junk {
autoexpunge = 30 days
}
mailbox Trash {
autoexpunge = 30 days
}
prefix =
}
}>> submission_relay_rawlog_dir = /var/log/dovecot/
>> submission_relay_trusted = yes
>>
>> My main issue is that until I login, dovecot-submission won't
connect to the backend and query the capabilities and so won't report the
right capabilities.
>>
>> That mean that the first EHLO message don't get the right
capabilities list.
>>
>> "
>> EHLO example.com
>>
>> 250-smtp.example.com
>> 250-8BITMIME
>> 250-AUTH PLAIN LOGIN
>> 250-BURL imap
>> 250-CHUNKING
>> 250-ENHANCEDSTATUSCODES
>> 250-SIZE
>> 250 PIPELINING
>> "
>>
>> This list don't contains VRFY, DNS, and SIZE is not specified (all
of these is present in backend EHLO response).
>> After login, if I send an new EHLO command, everything is properly
reported. The raw log shows that unlike what the documentation says,
>> dovecot don't try to connect to the backend until the user is
properly logged.
>>
>> In my raw log I show that after I logged in dovecot-submission, the
later open a connection to the backend and send a X-CLIENT command.
>>
>>
>> Now, if I try to force the capabilities by using:
>>
>> submission_backend_capabilities = VRFY 8BITMIME DSN
>>
>> dovecot properly reports all SMTP capabilities in the first EHLO
response, but it completely stops emitting X-CLIENT command to the backend
>> and try to simply forward the command without authentication, which
result in postfix rejecting the command with an unauthorized user error.
>>
>> What is wrong with my configuration ?
>> Thanks.
>
> Can you send us your complete configuration (output from `dovecot -n`)?
>
> Regards,
>
> Stephan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20190727/bf75cff2/attachment-0001.html>