Hi!
I implement new feature of dovecot's "submission" proxy
(https://wiki2.dovecot.org/Submission) with postfix and I stuck with
user authentication.
When MUA connects to postfix's submission port it authenticates:
(local connection from roundcube MUA)
(postfix uses dovecot for auth)
------------------------------------------
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: >
localhost[127.0.0.1]: 250-{hidden}
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: >
localhost[127.0.0.1]: 250-PIPELINING
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: >
localhost[127.0.0.1]: 250-SIZE 30720000
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: >
localhost[127.0.0.1]: 250-AUTH PLAIN LOGIN
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: >
localhost[127.0.0.1]: 250-AUTH=PLAIN LOGIN
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: >
localhost[127.0.0.1]: 250-ENHANCEDSTATUSCODES
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: >
localhost[127.0.0.1]: 250 8BITMIME
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: <
localhost[127.0.0.1]: AUTH LOGIN
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]:
xsasl_dovecot_server_first: sasl_method LOGIN
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]:
xsasl_dovecot_handle_reply: auth reply: {hidden}
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: >
localhost[127.0.0.1]: 334 {hidden}
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: <
localhost[127.0.0.1]: {hidden}
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]:
xsasl_dovecot_handle_reply: auth reply: {hidden}
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: >
localhost[127.0.0.1]: 334 {hidden}
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: <
localhost[127.0.0.1]: {hidden}
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]:
xsasl_dovecot_handle_reply: auth reply: OK?1?user=username@domain?
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: >
localhost[127.0.0.1]: 235 2.7.0 Authentication successful
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: <
localhost[127.0.0.1]: MAIL FROM:<username@domain>
------------------------------------------
When dovecot's MSA connects - it does not (obviously there is no need to
do it again):
------------------------------------------
Oct 14 05:42:15 mailbox14 postfix/mua-submission-primary/smtpd[8056]: >
{host_fqdn}[{host_ip}]: 250-{hidden}
Oct 14 05:42:15 mailbox14 postfix/mua-submission-primary/smtpd[8056]: >
{host_fqdn}[{host_ip}]: 250-PIPELINING
Oct 14 05:42:15 mailbox14 postfix/mua-submission-primary/smtpd[8056]: >
{host_fqdn}[{host_ip}]: 250-SIZE 30720000
Oct 14 05:42:15 mailbox14 postfix/mua-submission-primary/smtpd[8056]: >
{host_fqdn}[{host_ip}]: 250-AUTH PLAIN LOGIN
Oct 14 05:42:15 mailbox14 postfix/mua-submission-primary/smtpd[8056]: >
{host_fqdn}[{host_ip}]: 250-AUTH=PLAIN LOGIN
Oct 14 05:42:15 mailbox14 postfix/mua-submission-primary/smtpd[8056]: >
{host_fqdn}[{host_ip}]: 250-ENHANCEDSTATUSCODES
Oct 14 05:42:15 mailbox14 postfix/mua-submission-primary/smtpd[8056]: >
{host_fqdn}[{host_ip}]: 250 8BITMIME
Oct 14 05:42:15 mailbox14 postfix/mua-submission-primary/smtpd[8056]: <
{host_fqdn}[{host_ip}]: MAIL FROM:<username@domain> AUTH=username@domain
BODY=8BITMIME SIZE=1545
------------------------------------------
As described here: https://tools.ietf.org/html/rfc4954#section-5
User is already authenticated by proxy and postfix receives AUTH with
MAIL FROM command. It's $sasl_sender if I'm right:
http://www.postfix.org/postconf.5.html#permit_sasl_authenticated
Problem is:
I prevent sender address forging with smtpd_sender_login_mismatch and
smtpd_sender_login_maps.
Also i have setup dovecot's shared mailboxes feature and certain users
can send mail on behalf of them. Controlled forgery so to speak.
In case of dovecot MSA i can't run those checks, because postfix treats
dovecot as unauthenticated client.
It is possible to set up authentication in dovecot, but in this case all
users will have one sasl login. It passes permit_sasl_authenticated, but
does not prevent forgery, since smtpd_sender_login_mismatch has to be
removed.
Not to mention it makes dovecot authenticate against itself again, which
is ridiculous.
So, i set up a dedicated smtpd to get in working:
------------------------------------------ (part of master.cf)
172.16.229.5:5870 inet n - n - - smtpd
-o cleanup_service_name=pre-cleanup
-o content_filter=smtp-amavis:[127.0.0.1]:10026
-o syslog_name=postfix/msa-dovecot
-o mynetworks={dovecot_ip}
-o smtpd_tls_auth_only=yes
-o smtpd_tls_wrappermode=no
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_tls_security_options=noanonymous
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_security_options=noanonymous
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_relay_restrictions=
-o
smtpd_recipient_restrictions=reject_unlisted_sender,reject_unlisted_recipient,reject_unknown_recipient_domain,check_sender_access,hash:/etc/postfix/maps/restricted_senders,permit_mynetworks,reject
-o smtpd_restriction_classes=restrict
-o
restrict=check_recipient_access,hash:/etc/postfix/maps/restricted_senders_allowed_destinations,reject
###
------------------------------------------
Now it works, but any user can forge it's sender address.
So the question is:
Is there any way to configure postfix to do the same checks (or
different with the same purpose) against $sasl_sender to prevent sender
address forgery?
Exim has something like that:
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html#SECTauthparamail
my core setup:
postfix 2.11
dovecot 2.3.3
PS: whole picture
I'm configuring sort of Exchange's "Outlook everywhere" function. Since
dovecot supports proxy protocol, a can use SNI check on HAProxy node to
present IMAPS and SMTPS on single 443 port and preserve client addresses
in logs.
It's very useful for people who roams city and connects to mail server
from firewalled/DPIed public networks.
