Hi all, Recent version of dovecot come with a submission server (MSA), which allows for simpler configuration and adds BURL support, avoiding the need for the client to upload the mail twice: once to IMAP, once to the MSA. See also: https://doc.dovecot.org/admin_manual/submission_server/
This means the postfix configuration can be rather simple as the SASL binding to dovecot is no longer needed. Postfix only runs on the usual port 25 and just relays the mail coming from localhost via dovecot's MSA. Now what I want to do is limit each user to mailing from his own mail address. Dovecot's MSA is still very primitive, so this is to be handled in postfix. This at first sight seems simple. Use XCLIENT so postfix gets full client details, including SASL username. Then use the standard sender restrictions and sender login maps. I add to main.cf: > smtpd_authorized_xclient_hosts = $mynetworks > smtpd_sender_restrictions = reject_sender_login_mismatch > smtpd_sender_login_maps = regexp:/etc/postfix/senders In the dovecot MSA I need to enable XCLIENT, so there I set: > submission_relay_trusted = yes Straightforward so far, but this configuration will not work: > connect from localhost[127.0.0.1] > warning: restriction `reject_authenticated_sender_login_mismatch' ignored: > no SASL support > warning: restriction `reject_unauthenticated_sender_login_mismatch' ignored: > no SASL support > MSG_ID: client=localhost[REAL_IPv6_HERE], sasl_method=XCLIENT, > sasl_username=u...@my.tld Of course, SASL needs to be enabled. But here comes the problem: How does one enable SASL **without** configuring any form of authentication back-end? In other words: How to enable SASL for XCLIENT and only XCLIENT? I checked all of the available options but it appears that an authentication back-end is required, even though this is not needed when using XCLIENT as dovecot MSA is responsible for authentication here. In the end setting: > smtpd_sasl_auth_enable = yes Means you also have to set "smtpd_sasl_type" to one of the available values, which is either "cyrus" or "dovecot". This then implies having to actually properly configure the back-end, or you will get errors such as: > warning: xsasl_cyrus_server_get_mechanism_list: no applicable SASL > mechanisms > fatal: no SASL authentication mechanisms Am I misunderstanding how XCLIENT is supposed to work or is this specific configuration currently not possible? I would have expected something such as "smtpd_sasl_type = xclient" would exist, but it seems like it doesn't. Thanks, Melvin.
signature.asc
Description: This is a digitally signed message part.
