On 4/22/2022 10:35 PM, ミユナ (alice) wrote:
my question is:
when postfix talks to dovecot, does it require user's
username/password for authentication? or this communication just goes
without authentication?
I asked this, b/c my webmail send mail from localhost has been going
without authentication to postifx. so i am not sure if postfix talks
to dovecot without requiring auth too.
My setup is virtual users in a postfixadmin database. Dovecot does all
authentication, even with posfix. I believe the config snippets I have
included below are the relevant things that make it possible for postfix
to talk to dovecot for mail delivery and authentication.
Mail sent from localhost on port 25 does not require authentication on
my system, because 127.0.0.0/8 is in postfix's mynetworks config and
port 25's access restrictions include permit_mynetworks. Anything sent
via submission (port 587) does require auth, even from trusted
networks. If you can configure your webmail to use submission instead
of smtp, maybe that can be authenticated. You'll need to consult
support resources for your webmail to see if that is possible. I can
say for sure that roundcube can do it ... I have roundcube configured to
talk to port 587, which as mentioned, ALWAYS requires authentication.
When postfix sends mail to dovecot for delivery, I'm pretty sure that
happens without authentication. It's LMTP via unix socket, not
something an outside client can access directly.
# In 10-master.conf
service lmtp {
unix_listener lmtp {
#mode = 0666
}
}
service auth {
unix_listener auth-userdb {
mode = 0666
user = vmail
group = mail
}
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
}
# In 10-auth.conf
disable_plaintext_auth = yes
auth_mechanisms = plain
!include auth-sql.conf.ext
# In postfix master.cf
dovecot unix - n n - - pipe
flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/dovecot-lda -d
$(recipient)
# In postfix main.cf
# Use Dovecot to authenticate.
smtpd_sasl_type = dovecot
# Referring to /var/spool/postfix/private/auth
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
#broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
smtpd_sasl_authenticated_header = yes
# Tell postfix to hand off mail to the definition for dovecot in master.cf
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
