From 0f4dbceeed0d4d29d47c2410e4cb2c2ad2f7b008 Mon Sep 17 00:00:00 2001
From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Sun, 6 Nov 2022 16:22:19 +0100
Subject: [PATCH] [postfix] Authenticate with dovecot SASL.

`postfix` authenticates MAIL FROM and RCPT TO addresses. This commit
routes this authentication through `dovecot` SASL. It queries the
address book for credentials.
---
 dovecot/10-master.conf |  8 +++++---
 postfix/main.cf        |  9 +++++++++
 postfix/master.cf      | 16 ++++------------
 3 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/dovecot/10-master.conf b/dovecot/10-master.conf
index abdda26..16154dc 100644
--- a/dovecot/10-master.conf
+++ b/dovecot/10-master.conf
@@ -106,9 +106,11 @@ service auth {
   }
 
   # Postfix smtp-auth
-  #unix_listener /var/spool/postfix/private/auth {
-  #  mode = 0666
-  #}
+  unix_listener /var/spool/postfix/private/auth {
+    mode = 0666
+    user = postfix
+    group = postfix
+  }
 
   # Auth process is run as this user.
   #user = $default_internal_user
diff --git a/postfix/main.cf b/postfix/main.cf
index 8981eae..2c78c94 100644
--- a/postfix/main.cf
+++ b/postfix/main.cf
@@ -35,6 +35,15 @@ mailbox_transport = lmtp:unix:private/dovecot-lmtp
 
 # Message rewrite
 always_add_missing_headers = yes
+
+# Dovecot SASL
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_path = private/auth
+smtpd_sasl_security_options = noactive, noanonymous, nodictionary
+smtpd_sasl_type = dovecot
+## Authenticate RCPT TO address.
+smtpd_relay_restrictions = permit_sasl_authenticated, defer_unauth_destination
+
 # OpenDKIM
 milter_protocol = 2
 milter_default_action = accept
diff --git a/postfix/master.cf b/postfix/master.cf
index c8d2138..3f71c94 100644
--- a/postfix/master.cf
+++ b/postfix/master.cf
@@ -14,18 +14,10 @@ smtp       inet  n       -       y       -       -       smtpd
 #smtpd     pass  -       -       y       -       -       smtpd
 #dnsblog   unix  -       -       y       -       0       dnsblog
 #tlsproxy  unix  -       -       y       -       0       tlsproxy
-#submission inet n       -       y       -       -       smtpd
-#  -o syslog_name=postfix/submission
-#  -o smtpd_tls_security_level=encrypt
-#  -o smtpd_sasl_auth_enable=yes
-#  -o smtpd_tls_auth_only=yes
-#  -o smtpd_reject_unlisted_recipient=no
-#  -o smtpd_client_restrictions=$mua_client_restrictions
-#  -o smtpd_helo_restrictions=$mua_helo_restrictions
-#  -o smtpd_sender_restrictions=$mua_sender_restrictions
-#  -o smtpd_recipient_restrictions=
-#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-#  -o milter_macro_daemon_name=ORIGINATING
+submission inet  n       -       y       -       -       smtpd
+  -o smtpd_sender_restrictions=reject_sender_login_mismatch
+  -o smtpd_helo_restrictions=$mua_helo_restrictions
+  -o milter_macro_daemon_name=ORIGINATING
 #smtps     inet  n       -       y       -       -       smtpd
 #  -o syslog_name=postfix/smtps
 #  -o smtpd_tls_wrappermode=yes
-- 
2.39.5