2.2.15: SMTP submission server?

Reindl Harald h.reindl at thelounge.net
Sun Nov 16 01:24:39 UTC 2014


to make it short

* dovecot is no MTA submission server
* if you find a security issue in postfix running
   on 587 over TLS cry out loud
* dovecot offers a SASL provider for postfix submission

that's it and if you think that combination is not secure enough pull 
the network cables

Am 16.11.2014 um 00:03 schrieb Ron Leach:
> List, we're migrating to 2.2 from a 1.x version.  There has been mention
> from time to time of a dovecot SMTP submission server.  Last I saw was
> Timo suggesting this would be a 2.3 feature, but that there was already
> a 'basic' capability in 2.2 that, more or less, merely provided a
> secured/authorised SMTP submission.  I haven't found anything about this
> in the wiki, but the feature is of interest to us.  I would like to
> *not* have our MTA capable of being exploited as a relay (it isn't, at
> the moment) whereas users are logging into our dovecot from offsite
> using imaps with passwords.  While moving to 2.2, I'd like to try to use
> a secure SMTP submission *separate* from the MTA so that that software,
> with whatever vulnerabilities or weaknesses it might have, remained
> locked down and could not relay, if at all possible.
>
> (Imaps with passwords means the login details are not transmitted in
> cleartext and, so, leak no security to an observer of the communications
> channel.  Doubtless there are other weaknesses somewhere but, at least,
> when using hotel wifi, for example, there is little chance of revealing
> login details to a packet sniffer.  It won't be perfect, there are
> probably other vulnerabilities, not least in the underlying OSs at each
> end, but the connection - which is a serious vulnerability in many
> places - will be as good as is practical to make it.)
>
> So, is there some kind of SMTP submission service for a logged in
> dovecot user, and how would a client make use of that?  Is it possible
> to setup 2.2.15 for this?  And, crucially, would the connections between
> the client (eg at a hotel in some unreliable location) be encrypted
> right from the start, not using STARTTLS, as is the case in imaps?  And,
> just to be really demanding, could we configure its use on a
> non-standard port?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20141116/65583cfa/attachment.sig>


More information about the dovecot mailing list