Delivery to Shared Folders via authenticated SMTP then LMTP

Duncan Gibb Duncan.Gibb at
Tue Apr 21 10:55:44 EDT 2009

Andy Bennett wrote:

AB> I'm running a Debian etch server with the cyrus-2.2 (2.2.13-10)
AB> packages installed. I'm using exim 4.63 as my MTA.

OK.  Not an untypical deployment...

AB> I have no "postuser:" setting in /etc/imapd.conf so I'm assuming
AB> that it's default and I can address shared folders with the
AB> "+xxx at domain" address.

The default postuser is the empty string, hence the need for "anyone"
ACLs you're seeing.

AB> I can insert and delete messages in shared.test via IMAP when I'm
AB> authenticaed as andyjpb at

AB> I connected to my SMTP server, authenticated as
AB> andyjpb at and sent a message to
AB> "+shared.test at".

AB> The message was accepted by exim and then immediately bounced.

AB> MAIL FROM:<andyjpb at> SIZE=2523
AB> RCPT TO:<+shared.test at>
AB> 550-You do not have permission to post a message to this mailbox.

AB> I don't see an AUTH line tho... I'm authenticating as exim who
AB> should be able to authorise as andyjpb at How can I
AB> be sure that that is happening?

You should have lines in syslog (/var/log/maillog) from lmtpd of the form

  cyrus/lmtp[<PID>]: login: <MTA.HOSTNAME> [<MTA.IP>] <authzid>
      <SASL.MECH> User logged in

The authzid there will be the user as whom Exim authorized.  But I don't
think that's the problem (see below).

AB>    client_send = $authenticated_sender^exim^<PASSWORD>

AB> I think that should send the exim authenticated sender along
AB> as the authorisation and exim and <PASSWORD> along as the
AB> authentication.

It should, but not in the way you want.  The SASL authzid isn't what
lmtpd evaluates ACLs against.  To do what I think you want (ACLs for
delivery to shared mailboxes by users employing SMTPA), you need Exim to
pass the authenticated user from the SMTP transaction with the MUA into
the _MAIL_ line of the LMTP conversation.  You want Exim to say:

 MAIL FROM:<andyjpb at> AUTH=<andyjpb at>

To do that you probably want to add

  authenticated_sender = $authenticated_id

to the definition of your lmtp relay.

You can check Cyrus is doing what you expect by using openssl s_client
or gnutls-cli to have a manual LMTP conversation with it:

 <-  220 LMTP Cyrus v2.3.13-Sirius-2009:2.3.13-5 ready
 ->  lhlo authtest
 <-  250-[..]
 ->  auth plain
 <-  235 Authenticated!
 ->  mail from:<arbitrary at mail.addr> AUTH=<andyjpb at>
 <-  250 2.1.0 ok
 ->  rcpt to:<+shared.test at>
 <-  250 2.1.5 ok
 ->  data
 <-  354 go ahead




Duncan Gibb - Technical Director
Sirius Corporation plc - control through freedom || t: +44 870 608 0063
Debian Cyrus Team

More information about the Info-cyrus mailing list