As of version 2.3.0, Dovecot provides an SMTP submission service, also known as a Mail Submission Agent (MSA). It is currently implemented as a proxy that acts as a front-end for any MTA, adding the necessary functionality required for a submission service: it adds the required AUTH support, avoiding the need to configure the MTA for SASL authentication. More SMTP capabilities like CHUNKING and SIZE are supported, without requiring the backend MTA supporting these extensions. Other capabilities like 8BITMIME and DSN currently require support from the backend/relay MTA.
The most notable feature that the proxy adds is the BURL capability. The main application of that capability — together with IMAP and URLAUTH — is avoiding a duplicate upload of submitted e-mail messages; normally the message is both sent through SMTP and uploaded to the Sent folder through IMAP. Using BURL, the client can first upload the message to IMAP and then use BURL to make the SMTP server fetch the message from IMAP for submission, thereby avoiding a second upload. Few clients currently support the BURL capability, but once it becomes available on the server side, client developers will at least have some incentive to provide support for this feature.
Currently, the submission proxy is still pretty basic. However, it will provide a basis for adding all kinds of functionality in the (not so distant) future. For the first time, it will be possible to act upon message submission, rather than only message retrieval; e.g. plugins can be devised that process outgoing messages somehow. Examples of the things that could be implemented are adding Sieve filtering support for outgoing messages, or implicitly storing submitted messages to the Sent folder. Once a plugin API is devised, you can create your own plugins.
The following SMTP capabilities are supported by the Dovecot submission service:
submission to the
protocols= setting and configure the relay
MTA server. The submission service is a login service, just like IMAP, POP3 and Pigeonhole ManageSieve Server, so clients
are required to authenticate. The same authentication configuration shall also apply to submission,
unless you’re doing protocol-specific things, in which case you may need to
amend your configuration for the new protocol.
BURL support requires a working IMAP URLAUTH implementation. Details on
configuring Dovecot’s URLAUTH support can be found at
The following settings apply to the Submission service:
submission_logout_format = in=%i out=%o
The SMTP Submission logout format string. The following variable substitutions are supported:
Total number of bytes read from client
Total number of bytes sent to client
Number of commands received from client
Number of replies sent to client
Session ID of the login session
ID of the current transaction, if any
The host name reported by the SMTP service (and other parts of Dovecot), for example to the client in the initial greeting and to the relay server in the HELO/EHLO command. Default is the system’s real hostname@domain.
Configures the list of active workarounds for Submission client bugs. The list is space-separated. Supported workaround identifiers are:
Implicitly login using the EXTERNAL SASL mechanism upon the first MAIL command, provided that the client provides a valid TLS client certificate. This is helpful for clients that omit explicit SASL authentication when configured for authentication using a TLS certificate (Thunderbird for example).
New in version v2.3.18.
Allow using bare Mailbox syntax (i.e., without
<...>) instead of full path syntax.
Allow one or more spaces or tabs between
MAIL FROM:and path and between
RCPT TO:and path.
The maximum size of messages accepted for relay. This announced in the SMTP SIZE capability. If not configured, this is either determined from the relay server or left unlimited if no limit is known (the relay MTA will reply with error if some unknown limit exists there, which is duly passed to Dovecot’s client).
Maximum number of recipients accepted per connection (default: unlimited).
The Dovecot SMTP submission service directly proxies the mail transaction to the SMTP relay configured with the following settings:
Host name for the relay server (required).
- submission_relay_port = 25
Port for the relay server.
- submission_relay_trusted = no
Is the relay server trusted? This determines whether we try to send (Postfix-specific) XCLIENT data to the relay server.
- submission_relay_user =
User name for authentication to the relay MTA if authentication is required there (authorization ID).
- submission_relay_master_user =
Master user name for authentication to the relay MTA if authentication is required there (authentication ID).
- submission_relay_password =
Password for authentication to the relay MTA if authentication is required there.
- submission_relay_ssl = no
Indicates whether TLS is used for the connection to the relay server. The following values are defined for this setting:
No SSL is used.
An SMTPS connection (immediate SSL) is used.
The STARTTLS command is used to establish the TLS layer.
- submission_relay_ssl_verify = yes
Configures whether the TLS certificate of the relay server is to be verified.
Write protocol logs for relay connection to this directory for debugging.
See Rawlog for more details on rawlogs.
Like IMAP and POP3, the Submission login service supports proxying to multiple backend Dovecot servers. The proxy configuration wiki page for POP3 and IMAP applies automatically to Submission as well.
Please note that the login proxy described here is configured between two Dovecot servers (e.g. director frontend and mail storage backend). This is not the way to configure the relay connection between the Dovecot submission service and the MTA! That is configured using the relay settings described in the previous section. If you get this wrong, things will seem to work (at least to some extent), but the service provided by Dovecot will be effectively bypassed.
As of April 2019 there aren’t many clients that support the BURL extension.
Mentioned on the dovecot discussion list