Submission Server
Dovecot provides an SMTP submission service, also known as a Mail Submission Agent (MSA) (RFC 6409).
It is currently implemented as a proxy that acts as a front-end for any MTA, adding the necessary functionality required for a submission service: it adds the required AUTH (RFC 4954) support, avoiding the need to configure the MTA for SASL.
NOTE
Dovecot's submission server is NOT a full-featured SMTP server. It REQUIRES proxying to an external relay SMTP submission server to deliver non-local messages.
More SMTP capabilities like CHUNKING (RFC 3030) and SIZE (RFC 1870) are supported, without requiring the backend MTA supporting these extensions.
Other capabilities like 8BITMIME (RFC 6152) and DSN (RFC 3461) currently require support from the backend/relay MTA.
The most notable feature that the proxy adds is the BURL capability (RFC 4468). The main application of that capability, together with IMAP server and URLAUTH (RFC 4467), is avoiding a duplicate upload of submitted e-mail messages. Normally the message is both sent through SMTP and uploaded to the Sent
folder through IMAP. Using BURL, the client can first upload the message to IMAP and then use BURL to make the SMTP server fetch the message from IMAP for submission, thereby avoiding a second upload. Few clients currently support the BURL capability, but once it becomes available on the server side, client developers will at least have some incentive to provide support for this feature.
NOTE
Currently, the submission proxy is still pretty basic. However, it will provide a basis for adding all kinds of functionality in the (not so distant) future. For the first time, it will be possible to act upon message submission, rather than only message retrieval; e.g. plugins can be devised that process outgoing messages somehow. Examples of the things that could be implemented are adding Sieve filtering support for outgoing messages, or implicitly storing submitted messages to the Sent folder. Once a plugin API is devised, you can create your own plugins.
The submission service, when protocol submission is enabled, will listen to 587/tcp (STARTTLS) by default.
Features
The following SMTP capabilities are supported by the Dovecot submission service:
- 8BITMIME (RFC 6152): Only if relay MTA provides support
- AUTH (RFC 4954)
- BURL (RFC 4468)
- CHUNKING (RFC 3030)
- DSN (RFC 3461): Only if relay MTA provides support
- ENHANCEDSTATUSCODES (RFC 2034)
- PIPELINING (RFC 2920)
- SIZE (RFC 1870)
- STARTTLS (RFC 3207)
- VRFY (RFC 5321)
- XCLIENT: See https://www.postfix.org/XCLIENT_README.html
Configuration
Submission Service
Just add submission
to the protocols=
setting and configure the relay MTA server.
The submission service is a login service, just like IMAP, POP3 and ManageSieve, so clients are required to authenticate.
The same authentication configuration will apply to the submission service, unless you're doing protocol-specific things, in which case you may need to amend your configuration for the new protocol.
BURL support requires a working IMAP URLAUTH implementation. See imap_urlauth_host
.
Settings
hostname
Default | <system's real hostname@domain.tld> |
---|---|
Value | string |
The hostname to be used in email messages sent out by the local delivery agent (such as the Message-ID: header), in LMTP replies, and as the hostname advertised by submission SMTP service.
submission_add_received_header
Default | yes |
---|---|
Value | boolean |
Changes |
|
Controls if "Received:" header should be added to mails by the submission backend.
submission_client_workarounds
Default | [None] |
---|---|
Value | string |
Configures the list of active workarounds for Submission client bugs. The list is space-separated.
Supported workaround identifiers are:
implicit-auth-external
- Implicitly login using the EXTERNAL SASL mechanism upon the first MAIL command, provided that the client provides a valid TLS client certificate. This is helpful for clients that omit explicit SASL authentication when configured for authentication using a TLS certificate (Thunderbird for example).
mailbox-for-path
- Allow using bare Mailbox syntax (i.e., without <...>) instead of full path syntax.
whitespace-before-path
- Allow one or more spaces or tabs between 'MAIL FROM:' and path and between 'RCPT TO:' and path.
submission_host
Default | [None] |
---|---|
Value | URL |
Use this SMTP submission host to send messages.
Overrides sendmail_path
value, if set.
submission_logout_format
Default | in=%i out=%o |
---|---|
Value | string |
The SMTP Submission logout format string.
Variables supported, including Mail user variables
:
Variable Name | Description |
---|---|
%{input} , %i |
Bytes read from client |
%{output} , %o |
Bytes sent to client |
%{command_count} |
Number of commands received from client |
%{reply_count} |
Number of replies sent to client |
%{transaction_id} |
ID of the current transaction, if any |
submission_max_mail_size
Default | 40M |
---|---|
Value | size |
The maximum message size accepted for relay.
This value is announced in the SMTP SIZE capability.
If empty, this value is either determined from the relay server or left unlimited if no limit is known; the relay MTA will reply with error if some unknown limit exists there, which will be passed back to the client.
submission_max_recipients
Default | [None] |
---|---|
Value | unsigned integer |
Maximum number of recipients accepted per connection.
0
means unlimited.
Relay MTA
The Dovecot SMTP submission service directly proxies the mail transaction to the SMTP relay.
Settings
submission_relay_command_timeout
Default | 5mins |
---|---|
Value | time (milliseconds) |
Timeout for SMTP commands issued to the submission service's relay server.
The timeout is reset every time more data is being sent or received.
submission_relay_connect_timeout
Default | 30secs |
---|---|
Value | time (milliseconds) |
Timeout for connecting to and logging into the submission service's relay server.
submission_relay_host
Default | [None] |
---|---|
Value | string |
Host of the relay server (REQUIRED to provide the submission service).
submission_relay_master_user
Default | [None] |
---|---|
Value | string |
Master user name for authentication to the relay MTA if authentication is required.
submission_relay_max_idle_time
Default | 29mins |
---|---|
Value | time |
Submission relay max idle time for connection to relay MTA.
submission_relay_password
Default | [None] |
---|---|
Value | string |
Password for authentication to the relay MTA if authentication is required.
submission_relay_port
Default | 25 |
---|---|
Value | unsigned integer |
Value Range: <1-65535>
Port for the submission relay server.
submission_relay_rawlog_dir
Default | [None] |
---|---|
Value | string |
See Also |
Write protocol logs for relay connection to this directory for debugging.
Mail user variables
can be used.
submission_relay_ssl
Default | no |
---|---|
Value | string |
Allowed Values | no smtps starttls |
If enabled, SSL/TLS is used for the connection to the relay server.
Available values:
no
- No SSL connection is used.
smtps
- An SMTPS connection (immediate SSL) is used.
starttls
- The STARTTLS command is used to establish the TLS layer.
submission_relay_ssl_verify
Default | yes |
---|---|
Value | boolean |
If enabled, TLS certificate of the relay server must be verified.
submission_relay_trusted
Default | no |
---|---|
Value | boolean |
If enabled, the relay server is trusted.
Determines whether we try to send (Postfix-specific) XCLIENT data to the relay server (only if enabled).
submission_relay_user
Default | [None] |
---|---|
Value | string |
User name for authentication to the relay MTA if authentication is required.
Login Proxy
Like IMAP and POP3, the Submission login service supports proxying to multiple backend Dovecot servers. The proxy configuration wiki page for POP3 and IMAP applies automatically to Submission as well.
IMPORTANT
Please note that the login proxy described here is configured between two Dovecot servers (e.g. proxy frontend and mail storage backend). This is not the way to configure the relay connection between the Dovecot submission service and the MTA! That is configured using the relay settings described in the previous section. If you get this wrong, things will seem to work (at least to some extent), but the service provided by Dovecot will be effectively bypassed.
SMTPS
To listen on SMTPS port (465/tcp), add this to dovecot.conf
:
service submission-login {
inet_listener submissions {
port = 465
ssl = yes
}
}