[prev in list] [next in list] [prev in thread] [next in thread]
List: dovecot
Subject: RE: submission_host auth
From: k v <sintensa () outlook ! com>
Date: 2023-01-18 5:38:45
Message-ID: AM9PR09MB5121DB087046299B02ABDD86C5C79 () AM9PR09MB5121 ! eurprd09 ! prod ! outlook ! com
[Download RAW message or body]
> There is no way for a forwarded email to SASL authenticate because no one is logged \
> in or involved in the process of LMTP receiving mail for delivery from "the world". \
> How is the MTA supposed to know the SASL password for staff@work.com?
dovecot auth with "master user" when sending emails via sumbission_host;
postfix:
1. using smtpd_sender_login_maps allow master user send messages with any mail from, \
like that: smtpd_sender_login_maps = regexp:/etc/postfix/login_map.regexp
---
login_map.regexp:
/^master@example.com$/ .*
OR
2. in postfix master.cf declare dedicatet submission port allowed only for dovecot, \
without reject_sender_login_mismatch, like that: 2525 inet n - n \
- - smtpd
-o smtpd_helo_restrictions=permit_sasl_authenticated
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=permit_sasl_authenticated
I think it's better than
mynetworks = 10.0.1.0/24 #whole subnet, container ip assigned dynamically :(
with
smtpd_sender_restrictions =
permit_mynetworks
smtpd_relay_restrictions =
permit_mynetworks
What about SPF in the described scenario, you are right, SPF will be broken. Well.. \
its implementation feature
________________________________
От: dovecot <dovecot-bounces@dovecot.org> от имени dovecot@ptld.com \
<dovecot@ptld.com> Отправлено: 17 января 2023 г. 23:18
Кому: dovecot@dovecot.org <dovecot@dovecot.org>
Тема: Re: submission_host auth
> Let's say we have dovecot + sieve plugin container.
> Dovecot configured to use remote SMTP submission host to send messages:
> submission_host = postfix.example.com:587
I reviewed my config to see how i did it. I think you are right and SASL isn't used \
here. I have dovecot and postfix on the same machine and in dovecot i set \
submission_host = localhost:25
Then in my sieve filters i set
sieve_redirect_envelope_from = sender
I use SPF, DKIM, and DMARC
To test this i have (fictitious) staff@work.com with a forward filter to \
personal@home.com I sent an email from customer@random.com to staff@work.com
@work.com server then sends a forwarded email to personal@home.com with \
To:staff@work.com and From:customer@random.com
Checking the @home.com logs i can see that SPF failed because @work.com server sent \
an email from @random.com, however it had valid DKIM signatures from both @work.com \
and @random.com so DMARC passed and the email was accepted.
I guess if the @random.com mail server only implemented SPF and not included a DKIM \
signature and DMARC policy then the @home.com server would have rejected the \
forwarded email.
I know this might not be the best solution you are looking for, but it is the best i \
could figure out to allow sieve forwarding. There is no way for a forwarded email to \
SASL authenticate because no one is logged in or involved in the process of LMTP \
receiving mail for delivery from "the world". How is the MTA supposed to know the \
SASL password for staff@work.com?
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=koi8-r">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} \
</style> </head>
<body dir="ltr">
<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: \
12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;" \
class="elementToProof">> There is no way for a forwarded email to SASL \
authenticate because no one is logged in or involved in the process of LMTP \
receiving mail for delivery from "the world". How is the MTA supposed to \
know the SASL password for staff@work.com?</span></div> <div \
class="elementToProof"><span style="font-family: Calibri, Arial, Helvetica, \
sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, \
255); font-weight: 400;" class="elementToProof"><br> </span></div>
<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: \
12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: \
400;">dovecot auth with "master user" when sending emails via \
sumbission_host</span><span style="font-family: Calibri, Arial, Helvetica, \
sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, \
255); font-weight: 400;">;</span><br> </div>
<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: \
12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: \
400;">postfix:</span></div> <div class="elementToProof"><span style="font-family: \
Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); \
background-color: rgb(255, 255, 255); font-weight: 400;">1. using </span><span \
style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: \
400;">smtpd_sender_login_maps</span><span style="font-family: Calibri, Arial, \
Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: \
rgb(255, 255, 255); font-weight: 400;"> allow master user send messages with any \
mail from, like that:</span></div> <div class="elementToProof"><span \
style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: \
400;">smtpd_sender_login_maps = regexp:/etc/postfix/login_map.regexp</span></div> \
<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: \
12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: \
400;">---</span><br> </div>
<div class="elementToProof"><span style="font-family: Calibri, Arial, Helvetica, \
sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, \
255); font-weight: 400;">login_map.regexp:</span></div> <div \
class="elementToProof"><span style="font-family: Calibri, Arial, Helvetica, \
sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, \
255); font-weight: 400;">/^master@example.com$/ .*</span><br> </div>
<div><br>
</div>
<div class="elementToProof"><span style="font-family: Calibri, Arial, Helvetica, \
sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, \
255); font-weight: 400;">OR</span></div> <div class="elementToProof"><span \
style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;"><br> \
</span></div> <div class="elementToProof"><span style="font-family: Calibri, Arial, \
Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: \
rgb(255, 255, 255); font-weight: 400;">2. in postfix master.cf declare dedicatet \
submission port allowed only for dovecot, without </span><span style="font-family: \
Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); \
background-color: rgb(255, 255, 255); font-weight: \
400;">reject_sender_login_mismatch, like that:</span></div> <div><span \
style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: 400;">2525 \
inet n \
- n \
- - \
smtpd \
</span><br> </div>
<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: \
12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: \
400;"> -o smtpd_helo_restrictions=permit_sasl_authenticated \
</span><br>
</div>
<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: \
12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: \
400;"> -o smtpd_relay_restrictions=permit_sasl_authenticated,reject \
</span><br>
</div>
<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: \
12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: \
400;"> -o \
smtpd_sender_restrictions=permit_sasl_authenticated</span><br> </div>
<div class="elementToProof" style="font-family: Calibri, Arial, Helvetica, \
sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, \
255);"> <br>
</div>
<div class="elementToProof ContentPasted4" style="font-family: Calibri, Arial, \
Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: \
rgb(255, 255, 255);"> I think it's better than<br>
</div>
<div class="elementToProof"><span style="font-family: Calibri, Arial, Helvetica, \
sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, \
255); font-weight: 400;" class="ContentPasted3">mynetworks = 10.0.1.0/24 #whole \
subnet, container ip assigned dynamically :(<br>
</span></div>
<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: \
12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: \
400;">with</span><br> </div>
<div><span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: \
12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: \
400;">smtpd_sender_restrictions = </span><br>
<span style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-weight: \
400;"> permit_mynetworks</span><br> <span style="font-family: \
Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); \
background-color: rgb(255, 255, 255); font-weight: 400;">smtpd_relay_restrictions = \
</span><br> <span style="font-family: Calibri, Arial, Helvetica, sans-serif; \
font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); \
font-weight: 400;"> permit_mynetworks</span><br> <br>
</div>
<div class="elementToProof ContentPasted6" style="font-family: Calibri, Arial, \
Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: \
rgb(255, 255, 255);"> What about SPF in the described scenario, <font size="2"><span \
style="font-size:11pt" class="ContentPasted5">you are right</span></font>, SPF will \
be broken. Well.. its implementation feature<br> </div>
<div><br>
</div>
<div><br>
</div>
<br>
<div id="appendonsend"></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <br>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, \
sans-serif" color="#000000"><b>От:</b> dovecot <dovecot-bounces@dovecot.org> от \
имени dovecot@ptld.com <dovecot@ptld.com><br> <b>Отправлено:</b> 17 января 2023 \
г. 23:18<br> <b>Кому:</b> dovecot@dovecot.org <dovecot@dovecot.org><br>
<b>Тема:</b> Re: submission_host auth</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt">
<div class="PlainText elementToProof">> Let's say we have dovecot + sieve plugin \
container.<br> > Dovecot configured to use remote SMTP submission host to send \
messages:<br> > submission_host = postfix.example.com:587<br>
<br>
<br>
I reviewed my config to see how i did it. I think you are right and SASL isn't used \
here. I have dovecot and postfix on the same machine and in dovecot i set<br> \
submission_host = localhost:25<br> <br>
Then in my sieve filters i set<br>
sieve_redirect_envelope_from = sender<br>
<br>
I use SPF, DKIM, and DMARC<br>
<br>
To test this i have (fictitious) staff@work.com with a forward filter to \
personal@home.com<br> I sent an email from customer@random.com to staff@work.com<br>
@work.com server then sends a forwarded email to personal@home.com with \
To:staff@work.com and From:customer@random.com<br> <br>
Checking the @home.com logs i can see that SPF failed because @work.com server sent \
an email from @random.com, however it had valid DKIM signatures from both @work.com \
and @random.com so DMARC passed and the email was accepted.<br> <br>
I guess if the @random.com mail server only implemented SPF and not included a DKIM \
signature and DMARC policy then the @home.com server would have rejected the \
forwarded email.<br> <br>
I know this might not be the best solution you are looking for, but it is the best i \
could figure out to allow sieve forwarding. There is no way for a forwarded email to \
SASL authenticate because no one is logged in or involved in the process of LMTP \
receiving mail for delivery from "the world". How is the MTA supposed to \
know the SASL password for staff@work.com?<br> </div>
</span></font></div>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic