> Le 27 juil. 2019 à 14:30, Stephan Bosch <step...@rename-it.nl> a écrit : > > On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote: >> Hello, >> >> I'm having trouble configuring the submission proxy. >> >> I have configured the submission service as follow: >> >> submission_host = smtp.example.com >> submission_relay_host = localhost >> submission_relay_port = 8587
> Le 27 juil. 2019 à 14:30, Stephan Bosch <step...@rename-it.nl> a écrit : > > On 23/07/2019 17:13, Jean-Daniel Dupas via dovecot wrote: >> Hello, >> >> I'm having trouble configuring the submission proxy. >> >> I have configured the submission service as follow: >> >> submission_host = smtp.example.com >> submission_relay_host = localhost >> submission_relay_port = 8587 >> submission_relay_rawlog_dir = /var/log/dovecot/ >> submission_relay_trusted = yes >> >> My main issue is that until I login, dovecot-submission won't connect to the >> backend and query the capabilities and so won't report the right >> capabilities. >> >> That mean that the first EHLO message don't get the right capabilities list. >> >> " >> EHLO example.com >> >> 250-smtp.example.com >> 250-8BITMIME >> 250-AUTH PLAIN LOGIN >> 250-BURL imap >> 250-CHUNKING >> 250-ENHANCEDSTATUSCODES >> 250-SIZE >> 250 PIPELINING >> " >> >> This list don't contains VRFY, DNS, and SIZE is not specified (all of these >> is present in backend EHLO response). >> After login, if I send an new EHLO command, everything is properly reported. >> The raw log shows that unlike what the documentation says, >> dovecot don't try to connect to the backend until the user is properly >> logged. >> >> In my raw log I show that after I logged in dovecot-submission, the later >> open a connection to the backend and send a X-CLIENT command. >> >> >> Now, if I try to force the capabilities by using: >> >> submission_backend_capabilities = VRFY 8BITMIME DSN >> >> dovecot properly reports all SMTP capabilities in the first EHLO response, >> but it completely stops emitting X-CLIENT command to the backend >> and try to simply forward the command without authentication, which result >> in postfix rejecting the command with an unauthorized user error. >> >> What is wrong with my configuration ? >> Thanks. > > Can you send us your complete configuration (output from `dovecot -n`)? Yes (see below). Some additional information: =============== When I connect directly to dovecot-submission using nc and send an EHLO command, I got the following result (the SIZE is configured in dovecot config, that’s why it is properly announced), but no raw_log are generated at all. $ nc smtp.example.com 587 220 smtp.example.com Dovecot ready. EHLO mydomain.com 250-smtp.example.com 250-8BITMIME 250-AUTH 250-BURL imap 250-CHUNKING 250-ENHANCEDSTATUSCODES 250-SIZE 41943040 250-STARTTLS 250 PIPELINING QUIT 221 2.0.0 Bye =============== Ditto if I use openssl s_client -starttls smtp -crlf -connect smtp.example.com:587 and send the EHLO after STARTTLS. =============== For the record, here is the result of a direct connect to postfix: $ nc 127.0.0.1 8587 220 smtp.example.com ESMTP Postfix EHLO example.com 250-smtp.example.com 250-PIPELINING 250-SIZE 41943040 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 SMTPUTF8 =============== And here is the content of the row logs when a mail is sent. ======== rawlog.in 1564258521.813430 220 smtp.example.com ESMTP Postfix 1564258521.814206 250-smtp.example.com 1564258521.814206 250-PIPELINING 1564258521.814206 250-SIZE 41943040 1564258521.814206 250-VRFY 1564258521.814206 250-ETRN 1564258521.814206 250-STARTTLS 1564258521.814206 250-AUTH PLAIN LOGIN 1564258521.814206 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT 1564258521.814206 250-ENHANCEDSTATUSCODES 1564258521.814206 250-8BITMIME 1564258521.814206 250-DSN 1564258521.814206 250 SMTPUTF8 1564258521.848159 220 smtp.example.com ESMTP Postfix 1564258521.849506 250-smtp.example.com 1564258521.849506 250-PIPELINING 1564258521.849506 250-SIZE 41943040 1564258521.849506 250-VRFY 1564258521.849506 250-ETRN 1564258521.849506 250-STARTTLS 1564258521.849506 250-AUTH PLAIN LOGIN 1564258521.849506 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN DESTADDR DESTPORT 1564258521.849506 250-ENHANCEDSTATUSCODES 1564258521.849506 250-8BITMIME 1564258521.849506 250-DSN 1564258521.849506 250 SMTPUTF8 1564258521.854093 250 2.1.0 Ok 1564258521.909487 250 2.1.5 Ok 1564258521.983093 354 End data with <CR><LF>.<CR><LF> 1564258522.115312 250 2.0.0 Ok: queued as DDBCCD53B ======== rawlog.out 1564258521.813739 EHLO smtp.example.com 1564258521.846054 XCLIENT HELO=[10.188.153.106] PROTO=ESMTP LOGIN=info PORT=47564 ADDR=46.193.33.66 1564258521.848701 EHLO smtp.example.com 1564258521.850122 MAIL FROM:<serv...@example.com> AUTH=info 1564258521.889896 RCPT TO:<jddu...@xooloo.com> 1564258521.981094 DATA 1564258521.983757 Received: from [10.188.153.106] ([46.193.33.66]) 1564258521.983757 by smtp.example.com with ESMTPSA 1564258521.983757 id cSDvMtmwPF14TAAABU9jsA 1564258521.983757 (envelope-from <serv...@example.com>) 1564258521.983757 for <jddu...@xooloo.com>; Sat, 27 Jul 2019 22:15:21 +0200 1564258521.984065 From: Jean-Daniel Dupas <serv...@example.com> 1564258521.984065 Content-Type: text/plain 1564258521.984065 Content-Transfer-Encoding: 7bit 1564258521.984065 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) 1564258521.984065 Subject: Send test 1564258521.984065 Message-Id: <827ead17-6c27-4bdf-ad94-f106e3774...@example.com> 1564258521.984065 Date: Sat, 27 Jul 2019 22:15:19 +0200 1564258521.984065 To: Jean-Daniel Dupas <jddu...@xooloo.com> 1564258521.984065 X-Mailer: Apple Mail (2.3445.104.11) 1564258521.984065 1564258521.984280 . 1564258543.105429 QUIT ================== doveconf -n # 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.7.1 (db5c74be) # OS: Linux 4.15.0-55-generic x86_64 Ubuntu 18.04.2 LTS # Hostname: example.com auth_mechanisms = plain login auth_verbose = yes hostname = smtp.example.com imap_hibernate_timeout = 1 mins mail_attribute_dict = file:%h/metadata mail_gid = vmail mail_location = mdbox:~/mail mail_plugins = fts fts_xapian mail_server_admin = mailto:sysad...@example.com mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve namespace inbox { inbox = yes location = mailbox Archive { auto = subscribe special_use = \Archive } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = separator = / } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { fts = xapian fts_autoindex = yes fts_autoindex_exclude = \Junk fts_autoindex_exclude2 = \Trash fts_enforced = yes fts_languages = fr en fts_xapian = partial=2 full=20 imapsieve_mailbox1_before = file:/var/lib/vmail/imapsieve/learn-spam.sieve imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Junk imapsieve_mailbox2_before = file:/var/lib/vmail/imapsieve/learn-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Junk imapsieve_mailbox2_name = * imapsieve_mailbox3_before = file:/var/lib/vmail/imapsieve/unflag.sieve imapsieve_mailbox3_causes = COPY imapsieve_mailbox3_name = Trash plugin = fts fts_xapian sieve = file:~/sieve;active=~/.dovecot.sieve sieve_after = /var/lib/vmail/sieve-after sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment sieve_pipe_bin_dir = /var/lib/vmail/sieve-pipe sieve_plugins = sieve_imapsieve sieve_extprograms } postmaster_address = protocols = " imap lmtp sieve submission" recipient_delimiter = - service auth-worker { user = $default_internal_user } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0600 user = postfix } } service doveadm { vsz_limit = 1 G } service imap-hibernate { unix_listener imap-hibernate { group = vmail mode = 0660 } user = vmail } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 } process_min_avail = 2 } service imap { unix_listener imap-master { user = vmail } } service indexer-worker { vsz_limit = 1 G } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } service managesieve-login { inet_listener sieve { address = localhost } } service submission-login { inet_listener submissions { haproxy = no port = 465 reuse_port = no ssl = yes } } ssl_alt_cert = </var/lib/acme/imap.example.com/rsa/cert.pem ssl_alt_key = # hidden, use -P to show it ssl_cert = </var/lib/acme/imap.example.com/ecdsa/cert.pem ssl_cipher_list = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.1 ssl_prefer_server_ciphers = yes submission_host = smtp.example.com submission_max_mail_size = 40 M submission_relay_host = localhost submission_relay_port = 8587 submission_relay_trusted = yes userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocol lmtp { mail_plugins = fts fts_xapian sieve } protocol imap { imap_metadata = yes mail_max_userip_connections = 25 mail_plugins = fts fts_xapian imap_zlib imap_sieve namespace inbox { location = mailbox Junk { autoexpunge = 30 days } mailbox Trash { autoexpunge = 30 days } prefix = } } >> submission_relay_rawlog_dir = /var/log/dovecot/ >> submission_relay_trusted = yes >> >> My main issue is that until I login, dovecot-submission won't connect to the >> backend and query the capabilities and so won't report the right >> capabilities. >> >> That mean that the first EHLO message don't get the right capabilities list. >> >> " >> EHLO example.com >> >> 250-smtp.example.com >> 250-8BITMIME >> 250-AUTH PLAIN LOGIN >> 250-BURL imap >> 250-CHUNKING >> 250-ENHANCEDSTATUSCODES >> 250-SIZE >> 250 PIPELINING >> " >> >> This list don't contains VRFY, DNS, and SIZE is not specified (all of these >> is present in backend EHLO response). >> After login, if I send an new EHLO command, everything is properly reported. >> The raw log shows that unlike what the documentation says, >> dovecot don't try to connect to the backend until the user is properly >> logged. >> >> In my raw log I show that after I logged in dovecot-submission, the later >> open a connection to the backend and send a X-CLIENT command. >> >> >> Now, if I try to force the capabilities by using: >> >> submission_backend_capabilities = VRFY 8BITMIME DSN >> >> dovecot properly reports all SMTP capabilities in the first EHLO response, >> but it completely stops emitting X-CLIENT command to the backend >> and try to simply forward the command without authentication, which result >> in postfix rejecting the command with an unauthorized user error. >> >> What is wrong with my configuration ? >> Thanks. > > Can you send us your complete configuration (output from `dovecot -n`)? > > Regards, > > Stephan.
