Dovecot submission service: authentication failes

Andrei

8/18/24, 5:28 PM

I have trouble setting up submissions with Dovecot + Postfix.

doveadm auth login user pass gives the right output.

When I try to send a mail with submission(s) it gives authentication failed error.

doveconf -n output:

auth_mechanisms = plain login
disable_plaintext_auth = no
mail_location = maildir:/home/vmail/%d/%n
mail_privileged_group = vmail
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
protocols = " imap lmtp submission"
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
ssl_cert = < some_crt
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}

1 + 2

dovecot

Esa Jokinen

8/18/24, 5:47 PM

How could we know if you don't share the configuration & the logs / errors you have got?

Andrei

8/18/24, 6:28 PM

I edit the question. Please see the configuration. Thank you for an answer.

Score:1

Server

Esa Jokinen

8/19/24, 5:42 PM

Since version 2.3.0, Dovecot has provided the Submission Server feature, which is an authenticating proxy between MUA and MTA. Its main advantage is the BURL (RFC 4468) extension, which allows saving the message to the Sent folder at the same time it is delivered to SMTP.

On the other hand, it was implemented in 2017, just before the RFC 8314 made the STARTTLS submission obsolete. Personally I would recommend using the traditional way, where Postfix handles both SMTP for incoming mail and submissions (implicit TLS on port 465) for outboud, authenticated mail. There, Dovecot provides the SASL authentication as explained in the two documentations:

Postfix and Dovecot SASL (Dovecot)
Postfix SASL Howto (Postfix)

Your configuration with the current approach is missing configuration for the Relay MTA. In other words, your Dovevot does not understand where the mail should be relayed.

submission_relay_host Host name for the relay server (required).

If you want to keep this course, please edit your 20-submission.conf with at least, e.g.,

submission_relay_host = localhost

Also, setting disable_plaintext_auth to no is a huge security risk, and you should stick with the default yes:

If yes, disables the LOGIN command and all other plaintext authentication unless SSL/TLS is used (LOGINDISABLED capability) or the connection is “secured”:

Client IP is in login_trusted_networks.

Client IP is from localhost, and it’s not coming from HAProxy listener.

+ 3

Esa Jokinen

8/20/24, 7:20 AM

Adding the `submission_relay_host = localhost` solved this issue.

user1686

8/20/24, 12:21 PM

RFC 8314 didn't make the Submission protocol obsolete; it made the accessing of Submission service _via the StartTLS port 587_ obsolete. The protocol remains, on port 465 (which is no longer SMTPS – it has been SubmissionS for quite a while now.)

Esa Jokinen

8/20/24, 12:32 PM

@user1686: Thanks for the correction; updated in the answer.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Dovecot submission service: authentication failes

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.