From dd1695e997f9daffce4d850fa4d94f68cda7f0c3 Mon Sep 17 00:00:00 2001
From: Jonas Smedegaard <dr@jones.dk>
Date: Fri, 9 Oct 2020 17:17:13 +0200
Subject: handle inbound SASL as part of submission

---
 postfix/postfix.sh | 44 ++++++++++++++++++++++++++------------------
 1 file changed, 26 insertions(+), 18 deletions(-)

(limited to 'postfix')

diff --git a/postfix/postfix.sh b/postfix/postfix.sh
index 1c8c726..d67ccef 100755
--- a/postfix/postfix.sh
+++ b/postfix/postfix.sh
@@ -66,11 +66,12 @@ else
 fi
 # TODO: enable only on systems with user accounts
 submission=1
-sasl=
-if [ -n "$tls_cert" ] && [ -n "$dovecot" ]; then
-	sasl=1
+# TODO: check that dovecot SASL is configured
+sasl_inbound=
+if [ -n "$tls_cert" ] && [ -n "$dovecot" ] && [ -n "$submission" ]; then
+	sasl_inbound=1
 else
-	warn "No SASL authentication - requires TLS encryption and Dovecot."
+	warn "No inbound SASL authentication - requires TLS encryption and Dovecot."
 fi
 amavis=
 default_amavis_maxproc=2
@@ -275,17 +276,6 @@ if [ -n "$tls_cert" ]; then
 	_postconf -e 'smtpd_tls_loglevel = 1'
 	_postconf -e 'smtpd_tls_auth_only = yes'
 	_postconf -e 'smtpd_tls_received_header = yes'
-	if [ -n "$sasl" ]; then
-		_postconf -e smtpd_sasl_local_domain='$mydomain'
-		_postconf -e smtpd_sasl_type=dovecot
-		_postconf -e smtpd_sasl_path=private/auth
-		_postconf -e broken_sasl_auth_clients=yes
-	else
-		_postconf -X smtpd_sasl_local_domain
-		_postconf -X smtpd_sasl_type
-		_postconf -X smtpd_sasl_path
-		_postconf -X broken_sasl_auth_clients
-	fi
 else
 	_postconf -e smtpd_tls_security_level=none
 	_postconf -X smtpd_tls_cert_file
@@ -305,8 +295,6 @@ _postconf -X smtp_tls_CApath
 _postconf -X lmtp_tls_CApath
 _postconf -X smtp_tls_CAfile
 _postconf -X lmtp_tls_CAfile
-_postconf -X smtpd_sasl_auth_enable
-_postconf -X smtpd_sasl_security_options
 _postconf -X smtpd_tls_ask_ccert
 _postconf -X smtp_tls_note_starttls_offer
 _postconf -X smtpd_tls_session_cache_database
@@ -317,16 +305,36 @@ _postconf -X tls_random_source
 
 # submission
 # <http://www.postfix.org/SASL_README.html>
+# <https://doc.dovecot.org/configuration_manual/howto/postfix_and_dovecot_sasl/#using-sasl-with-postfix-submission-port>
 if [ -n "$submission" ]; then
 	_postconf -Me submission/inet='
 submission inet	n	-	y	-	-	smtpd
 	-o syslog_name=postfix/$service_name
 	-o smtpd_tls_security_level=encrypt
-	-o smtpd_sasl_auth_enable=yes
 '
+	if [ -n "$sasl_inbound" ]; then
+		_postconf -Me submission/inet/smtpd_sasl_auth_enable=yes
+	else
+		_postconf -MX submission/inet/smtpd_sasl_auth_enable
+	fi
 else
 	_postconf -MX submission/inet
 fi
+if [ -n "$sasl_inbound" ]; then
+	_postconf -e smtpd_sasl_local_domain='$mydomain'
+	_postconf -e smtpd_sasl_type=dovecot
+	_postconf -e smtpd_sasl_path=private/auth
+	_postconf -e broken_sasl_auth_clients=yes
+else
+	_postconf -X smtpd_sasl_local_domain
+	_postconf -X smtpd_sasl_type
+	_postconf -X smtpd_sasl_path
+	_postconf -X broken_sasl_auth_clients
+fi
+
+# obsolete SASL-related settings
+_postconf -X smtpd_sasl_auth_enable
+_postconf -X smtpd_sasl_security_options
 
 if [ -n "$amavis" ]; then
 	_postconf -e 'max_use = 10' # Avoid too much reuse
-- 
cgit v1.2.3