I have explored the default setting of Postfix to allow local machines to send without authenticating, simply based on them being on the local network (
permit_mynetworks). Even if I am not always on my own local network I could make this work by installing a webmail client on the same server (or in the same docker network). Even if we are accessing the client over the internet, the client is on a local machine and part of the local network’seen from the perspective of the postfix. Therefore
permit_mynetworks would give the
OK and allow it to send without any further restrictions. But then there are smartphones and getting notified whenever I have mail rather than having to check manually. So I need a way to authenticate as a legitimate user who should be allowed to send when I’m not on the local network of the server. One way to do this is by piggybacking on the MDA’s authentication. In other words: If I am already authenticating with the IMAP server, why not use that to also authenticate me with Postfix for sending? This link between the two reminds me of what I said in the first post in this series: That the division into MTA and MDA probably wasn’t engineered as much as just arrived at by stops and starts.
In this post I will create such a setup with Dovecot playing the part of the MDA. Dovecot will offer up an authentication service on the machine. When I ask Postfix to send something, Postfix will approach this service and ask if I should be allowed to send. And Dovecot will say yes or no, depending on whether or not I have previously properly authenticated with it.(more…)