Solving our authenticated SMTP problem by rethinking it
Part of our mail system is a mail submission machine. Perhaps unlike many places, this machine has never done authenticated SMTP and as a result has never accepted connections from the outside world; to use it, you have to be 'inside' our network, either directly or by using our VPN (and at that point it just accepts your email). Recently this has been more and more a pain point for our users as it becomes more and more common for devices to move between inside and outside (for example, smartphones).
Unfortunately, one reason we haven't supported authenticated SMTP
before now is that it's non-trivial to add to our mail submission
machine. There are two tricky aspects. The first is that as far we
can see, any easy method to add authentication support to our Exim
configuration requires that our mail submission machine be rebuilt
to carry our full
/etc/shadow). The second is
that the mail submission machine still has to support unauthenticated
SMTP from internal machines; among other things, all of our servers
use it as their smarthost. This requires a somewhat messy and complex
Exim configuration, and being absolutely sure that we're reliably
telling apart internal machines from external machines and not
accidentally allowing external machines to use us without SMTP
authentication (because that would make one of our most crucial
mail machines into an open relay and get it blacklisted).
(Right now the mail submission machine has a strong defense in that our external firewall simply doesn't allow outside people to connect to it. It has its own access guard just in case, but its accuracy is less important. In the new world we'd have to open up access on the firewall and then count on its Exim configuration to do all the work.)
Exim can use a local Dovecot instance for authentication, but that
doesn't help the mail submission machine directly; to run a local
Dovecot that did useful authentication, we'd still need a full local
/etc/passwd et al. But then we had a brainwave: we already have
a Dovecot-based IMAP server.
Rather than try to modify the mail submission machine's Exim
configuration to add authenticated SMTP for some connections, we
can turn the problem around and do it on the IMAP server instead.
The IMAP server already has Dovecot and our full
it needs is to have Exim added with a configuration that only does
authenticated SMTP. Sure, we wind up with two mail submission
machines, but this way we don't have to mix the two somewhat different
mail submission roles and we get a much simpler change to our
existing machines. People also get a somewhat simpler IMAP client
configuration (and one that's probably more normal), since now their
(outgoing) mail server will be the same as their IMAP server.
(The actual Exim configuration on our IMAP server can be just a slight variation on the existing mail submission Exim configuration. Insisting on SMTP authentication all the time is an easy change.)
As a side benefit, testing and migration is going to be pretty easy. Nothing is trying to talk SMTP to the IMAP server today, so we can transparently add Exim there then have people try out using it as their (outgoing) mail server. If something goes wrong, the regular mail submission machine is completely unaltered and people can just switch back.