dovecot - Jul 2021 - BDAT to DATA translation on submission service when checkpassword is involved

Hello,

I'm having issues with Dovecot translating "BDAT" commands
(CHUNKING)
into "DATA" commands when the backend does not support it in the 
submission service. I use "checkpassword" to authenticate users and 
judging by older mailing list entries the presence of "submission_*" 
directives must be in place for Dovecot to translate. Even with these 
directives set, the translation doesn't seem to occur.

checkpassword returns "director_tag=remote_smtp" (along with other 
fields such as nopassword=y proxy=y) which in turn sets the backend host 
to relay the connection to. I have a feeling the use of checkpassword 
has something to do with this lack of translation.

If the "submission_*" directives must be in place for this translation
to occur, which ones are they? Can I return these fields from checkpassword?


Output of doveconf -n:

# 2.3.15 (0503334ab1): /etc/dovecot/dovecot.conf
# OS: Linux 4.15.0-147-generic x86_64 Ubuntu 18.04.5 LTS
# Hostname: xyz
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
director_mail_servers = x.x.x.x at remote_smtp
director_servers = x.x.x.x
disable_plaintext_auth = no
mail_log_prefix = "%Us(%u) [%r]: "
passdb {
 ? args = /usr/local/bin/checkpassword
 ? driver = checkpassword
}
protocols = " imap pop3 submission"
service anvil {
 ? client_limit = 3553
}
service auth {
 ? client_limit = 3550
}
service director {
 ? fifo_listener login/proxy-notify {
 ??? mode = 0600
 ??? user = $default_login_user
 ? }
 ? inet_listener {
 ??? address = x.x.x.x
 ??? port = 9090
 ? }
 ? unix_listener director-admin {
 ??? mode = 0600
 ? }
 ? unix_listener login/director {
 ??? mode = 0666
 ? }
}
service imap-login {
 ? executable = imap-login director
 ? inet_listener imap {
 ??? address = x.x.x.x
 ??? port = 143
 ? }
 ? inet_listener imaps {
 ??? address = x.x.x.x
 ??? port = 993
 ??? ssl = yes
 ? }
 ? process_limit = 1000
 ? process_min_avail = 0
 ? service_count = 1
}
service imap {
 ? process_limit = 2048
 ? process_min_avail = 0
 ? service_count = 1
 ? vsz_limit = 384 M
}
service pop3-login {
 ? executable = pop3-login director
 ? inet_listener pop3 {
 ??? address = x.x.x.x
 ??? port = 110
 ? }
 ? inet_listener pop3s {
 ??? address = x.x.x.x
 ??? port = 995
 ??? ssl = yes
 ? }
 ? process_limit = 450
}
service pop3 {
 ? process_limit = 190
 ? process_min_avail = 0
 ? service_count = 1
}
service submission-login {
 ? executable = submission-login director
 ? inet_listener smtp {
 ??? address = x.x.x.x
 ??? port = 25
 ? }
 ? inet_listener smtps {
 ??? address = x.x.x.x
 ??? port = 465
 ??? ssl = yes
 ? }
 ? inet_listener submission {
 ??? address = x.x.x.x
 ??? port = 587
 ? }
 ? process_limit = 2000
}
ssl_cert = </etc/...
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_min_protocol = TLSv1.1
submission_backend_capabilities submission_host = x.x.x.x
submission_relay_host = x.x.x.x
submission_relay_port = 465
submission_relay_ssl = smtps
submission_relay_trusted = yes
userdb {
 ? args = /etc/dovecot/userdb.conf
 ? driver = ldap
}
protocol imap {
 ? imap_logout_format = bytes=%i/%o, del=%e
 ? mail_max_userip_connections = 20
}
protocol pop3 {
 ? mail_max_userip_connections = 20
 ? pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
}
protocol submission {
 ? mail_max_userip_connections = 10
}
local_name *.domain.com {
 ? ssl_cert = </etc/...
 ? ssl_key = # hidden, use -P to show it
}

> On 23/07/2021 01:22 Dan Conway <darkc0de at archnix6.net> wrote:
> 
>  
> Hello,
> 
> I'm having issues with Dovecot translating "BDAT" commands
(CHUNKING)
> into "DATA" commands when the backend does not support it in the 
> submission service. I use "checkpassword" to authenticate users
and
> judging by older mailing list entries the presence of
"submission_*"
> directives must be in place for Dovecot to translate. Even with these 
> directives set, the translation doesn't seem to occur.
> 
> checkpassword returns "director_tag=remote_smtp" (along with
other
> fields such as nopassword=y proxy=y) which in turn sets the backend host 
> to relay the connection to. I have a feeling the use of checkpassword 
> has something to do with this lack of translation.
> 
> If the "submission_*" directives must be in place for this
translation
> to occur, which ones are they? Can I return these fields from
checkpassword?
> 
> 
> Output of doveconf -n:
> 
> # 2.3.15 (0503334ab1): /etc/dovecot/dovecot.conf
> # OS: Linux 4.15.0-147-generic x86_64 Ubuntu 18.04.5 LTS
> # Hostname: xyz
> auth_debug = yes
> auth_debug_passwords = yes
> auth_mechanisms = plain login
> auth_verbose = yes
> director_mail_servers = x.x.x.x at remote_smtp
> director_servers = x.x.x.x
> disable_plaintext_auth = no
> mail_log_prefix = "%Us(%u) [%r]: "
> passdb {
>  ? args = /usr/local/bin/checkpassword
>  ? driver = checkpassword
> }
> protocols = " imap pop3 submission"
> service anvil {
>  ? client_limit = 3553
> }
> service auth {
>  ? client_limit = 3550
> }
> service director {
>  ? fifo_listener login/proxy-notify {
>  ??? mode = 0600
>  ??? user = $default_login_user
>  ? }
>  ? inet_listener {
>  ??? address = x.x.x.x
>  ??? port = 9090
>  ? }
>  ? unix_listener director-admin {
>  ??? mode = 0600
>  ? }
>  ? unix_listener login/director {
>  ??? mode = 0666
>  ? }
> }
> service imap-login {
>  ? executable = imap-login director
>  ? inet_listener imap {
>  ??? address = x.x.x.x
>  ??? port = 143
>  ? }
>  ? inet_listener imaps {
>  ??? address = x.x.x.x
>  ??? port = 993
>  ??? ssl = yes
>  ? }
>  ? process_limit = 1000
>  ? process_min_avail = 0
>  ? service_count = 1
> }
> service imap {
>  ? process_limit = 2048
>  ? process_min_avail = 0
>  ? service_count = 1
>  ? vsz_limit = 384 M
> }
> service pop3-login {
>  ? executable = pop3-login director
>  ? inet_listener pop3 {
>  ??? address = x.x.x.x
>  ??? port = 110
>  ? }
>  ? inet_listener pop3s {
>  ??? address = x.x.x.x
>  ??? port = 995
>  ??? ssl = yes
>  ? }
>  ? process_limit = 450
> }
> service pop3 {
>  ? process_limit = 190
>  ? process_min_avail = 0
>  ? service_count = 1
> }
> service submission-login {
>  ? executable = submission-login director
>  ? inet_listener smtp {
>  ??? address = x.x.x.x
>  ??? port = 25
>  ? }
>  ? inet_listener smtps {
>  ??? address = x.x.x.x
>  ??? port = 465
>  ??? ssl = yes
>  ? }
>  ? inet_listener submission {
>  ??? address = x.x.x.x
>  ??? port = 587
>  ? }
>  ? process_limit = 2000
> }
> ssl_cert = </etc/...
> ssl_dh = # hidden, use -P to show it
> ssl_key = # hidden, use -P to show it
> ssl_min_protocol = TLSv1.1
> submission_backend_capabilities > submission_host = x.x.x.x
> submission_relay_host = x.x.x.x
> submission_relay_port = 465
> submission_relay_ssl = smtps
> submission_relay_trusted = yes
> userdb {
>  ? args = /etc/dovecot/userdb.conf
>  ? driver = ldap
> }
> protocol imap {
>  ? imap_logout_format = bytes=%i/%o, del=%e
>  ? mail_max_userip_connections = 20
> }
> protocol pop3 {
>  ? mail_max_userip_connections = 20
>  ? pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
> }
> protocol submission {
>  ? mail_max_userip_connections = 10
> }
> local_name *.domain.com {
>  ? ssl_cert = </etc/...
>  ? ssl_key = # hidden, use -P to show it
> }
Hi!

Submission service works from backend, not proxy. 

Aki