Dovecot submission service: authentication failes

Question

I have trouble setting up submissions with Dovecot + Postfix.

doveadm auth login user pass gives the right output.

When I try to send a mail with submission(s) it gives authentication failed error.

doveconf -n output:

auth_mechanisms = plain login
disable_plaintext_auth = no
mail_location = maildir:/home/vmail/%d/%n
mail_privileged_group = vmail
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
protocols = " imap lmtp submission"
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
ssl_cert = < some_crt
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}

How could we know if you don't share the configuration & the logs / errors you have got? — Esa Jokinen, Aug 18 '23 at 17:47
I edit the question. Please see the configuration. Thank you for an answer. — Andrei, Aug 18 '23 at 18:28

Esa Jokinen · Accepted Answer · 2023-08-20T12:31:28.340

Since version 2.3.0, Dovecot has provided the Submission Server feature, which is an authenticating proxy between MUA and MTA. Its main advantage is the BURL (RFC 4468) extension, which allows saving the message to the Sent folder at the same time it is delivered to SMTP.

On the other hand, it was implemented in 2017, just before the RFC 8314 made the STARTTLS submission obsolete. Personally I would recommend using the traditional way, where Postfix handles both SMTP for incoming mail and submissions (implicit TLS on port 465) for outboud, authenticated mail. There, Dovecot provides the SASL authentication as explained in the two documentations:

Postfix and Dovecot SASL (Dovecot)
Postfix SASL Howto (Postfix)

Your configuration with the current approach is missing configuration for the Relay MTA. In other words, your Dovevot does not understand where the mail should be relayed.

submission_relay_host Host name for the relay server (required).

If you want to keep this course, please edit your 20-submission.conf with at least, e.g.,

submission_relay_host = localhost

Also, setting disable_plaintext_auth to no is a huge security risk, and you should stick with the default yes:

If yes, disables the LOGIN command and all other plaintext authentication unless SSL/TLS is used (LOGINDISABLED capability) or the connection is “secured”:

Client IP is in login_trusted_networks.

Client IP is from localhost, and it’s not coming from HAProxy listener.

Adding the `submission_relay_host = localhost` solved this issue. — Esa Jokinen, Aug 20 '23 at 07:20
RFC 8314 didn't make the Submission protocol obsolete; it made the accessing of Submission service _via the StartTLS port 587_ obsolete. The protocol remains, on port 465 (which is no longer SMTPS – it has been SubmissionS for quite a while now.) — user1686, Aug 20 '23 at 12:21
@user1686: Thanks for the correction; updated in the answer. — Esa Jokinen, Aug 20 '23 at 12:32

Dovecot submission service: authentication failes

1 Answers1