Yes Dovecot will proxy the connection to the real MTA. My question is why authentication is /always/ required on Dovecot when submission is used, as MTAs usually have an option to allow non-authenticated relaying. On 7/28/21 10:19 AM, justina colmena ~biz wrote:> I am quite curious about the circumstances of this question. I was not > aware that Dovecot actually offered mail submission service. If > Dovecot does offer such a service, then it will have to relay the > submitted mail to the real MTA, which is very likely not Dovecot. At > the moment I have Postfix set up as MTA for that purpose ? > > Relaying on port 25 is usually quick and easy to whitelist for certain > permitted hosts, but otherwise port 587, optionally with STARTTLS, > and/or port 465 with SSL/TLS is generally set up for user > authenticated mail submissions. > > See also: > https://www.mailgun.com/blog/which-smtp-port-understanding-ports-25-465-587/ > <https://www.mailgun.com/blog/which-smtp-port-understanding-ports-25-465-587/> > > > > On July 28, 2021 6:10:28 AM AKDT, Dan Conway <darkc0de at archnix6.net> > wrote: > > Hello, > > Is it possible to disable the requirement for authentication on the > submission service? I'm trying to require authentication for all, except > for a handful of IP addresses. > > Thank you. > > > ehlo test.com > 250-aaa > 250-AUTH PLAIN LOGIN > 250-BURL imap > 250-CHUNKING > 250-DSN > 250-ENHANCEDSTATUSCODES > 250-SIZE > 250 PIPELINING > MAIL FROM:<test at test.com> > 530 5.7.0 Authentication required. > > > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity.-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20210728/6e6a919e/attachment.html>
Am 28.07.2021 um 19:08 schrieb Dan Conway:> Yes Dovecot will proxy the connection to the real MTA. My question is > why authentication is /always/ required on Dovecot when submission is > used, as MTAs usually have an option to allow non-authenticated relaying.And relaying without authentication is a bad thing you should avoid. Alexander
>>>>> "Dan" == Dan Conway <darkc0de at archnix6.net> writes:Are you sure? I know that postfix can use the same backend database for authentication as dovecot, and dovecot can be the master, but dovecot does NOT listen on port 25 or 587 at all, those are all just used by Postfix. Dan> Yes Dovecot will proxy the connection to the real MTA. My Dan> question is why authentication is always required on Dovecot when Dan> submission is used, as MTAs usually have an option to allow Dan> non-authenticated relaying. Dan> On 7/28/21 10:19 AM, justina colmena ~biz wrote: Dan> I am quite curious about the circumstances of this question. I was not aware that Dovecot Dan> actually offered mail submission service. If Dovecot does offer such a service, then it will Dan> have to relay the submitted mail to the real MTA, which is very likely not Dovecot. At the Dan> moment I have Postfix set up as MTA for that purpose ? Dan> Relaying on port 25 is usually quick and easy to whitelist for certain permitted hosts, but Dan> otherwise port 587, optionally with STARTTLS, and/or port 465 with SSL/TLS is generally set up Dan> for user authenticated mail submissions. Dan> See also: Dan> https://www.mailgun.com/blog/which-smtp-port-understanding-ports-25-465-587/ Dan> On July 28, 2021 6:10:28 AM AKDT, Dan Conway <darkc0de at archnix6.net> wrote: Dan> Hello, Dan> Is it possible to disable the requirement for authentication on the Dan> submission service? I'm trying to require authentication for all, except Dan> for a handful of IP addresses. Dan> Thank you. Dan> ehlo test.com Dan> 250-aaa Dan> 250-AUTH PLAIN LOGIN Dan> 250-BURL imap Dan> 250-CHUNKING Dan> 250-DSN Dan> 250-ENHANCEDSTATUSCODES Dan> 250-SIZE Dan> 250 PIPELINING Dan> MAIL FROM:<test at test.com> Dan> 530 5.7.0 Authentication required. Dan> -- Dan> Sent from my Android device with K-9 Mail. Please excuse my brevity.
Dne st?eda 28. ?ervence 2021 19:08:17 CEST, Dan Conway napsal(a):> Yes Dovecot will proxy the connection to the real MTA. My question is > why authentication is /always/ required on Dovecot when submission is > used, as MTAs usually have an option to allow non-authenticated relaying.I thought that mandatory authentication is the whole point of having mail submission on other port than 25. But looking at the RFC: https://datatracker.ietf.org/doc/html/rfc6409#section-4.3 It says that authorization by other means (being within a protected subnetwork) is possible. Anyway, as dovecot ultimately passes the mail to MTA, it is much easier to make the unauthenticated IP relay list in MTA, and submit on port 25. Or is there something special you want doevecot to do with those mails? -- Best Regards Vladislav Kurz
On 2021-07-29 10:12, Vladislav Kurz wrote:> I thought that mandatory authentication is the whole point of having > mail > submission on other port than 25. But looking at the RFC: > https://datatracker.ietf.org/doc/html/rfc6409#section-4.3 > It says that authorization by other means (being within a protected > subnetwork) is possible.from the time of pop-before-smtp rfc1918 have always worked for all, when a single ip could open up smtp auth for multiple rfc1918 ips in the time frame could relay all the mails without any needs for provide any password for it hopefully none like to see this back not even on ipv6 btw> Anyway, as dovecot ultimately passes the mail to MTA, it is much easier > to > make the unauthenticated IP relay list in MTA, and submit on port 25.it could still be another port then 25 there, it will be a mess to mix outbound and inbound on same port> Or is there something special you want doevecot to do with those mails?hopefull no, i think dovecot have submission for director hosts to still use one single mta server for outbound, not to change hos end users uses it