Private_Citizen's questions

I am using a certbot DNS plugin to issue Let's Encrypt certificates. Certbot uses dynamic DNS updates to add a TXT record for verification. Bind creates a .jnl file for the zone. This TXT record only exist for 30 seconds then is removed by certbot. When the process is done, everything is supposed to be back to normal.

The side effect is bind is over writing my original zone file (owned by root) and saving it as owned by named. Plus the contents of the zone file are completely reformatted in a way i do not like.

Is there anyway to prevent bind from trying to change the original zone file? Any way to tell bind this dynamic update is temporary, hold only in memory or something?

And a side, but not as important, question. How is it bind gives permission denied errors if it can't save the .jnl file without named ownership, but it can easily over write a zone file owned by root?

I can not find any documentation on what each reject messages means. I assume ...domain owner discourages use of this host happens when helo.spammer.com sends an email with [email protected] in the from field and example.com has an SPF record that does not include spammer.com

Then what conditions generate ...SPF fail - not authorized? Wouldn't an not authorized sender be the same condition as the first example?

While im at it, anyone know which conditions return ...access neither permitted nor denied

If it matters, i have the config as such

HELO_reject = SPF_Not_Pass
Mail_From_reject = SPF_Not_Pass

And if its helpful, a real case example:

SMTPD: connect from ns1.monofe.com[185.21.207.22]
SMTPD: NOQUEUE: reject: RCPT from ns1.monofe.com[185.21.207.22]: 550 5.7.23 <[email protected]>: Recipient address rejected: SPF rejected because SPF fail - not authorized; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<ns1.monofe.com>
SMTPD: disconnect from ns1.monofe.com[185.21.207.22] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 quit=1 commands=5/7 

and

SMTPD: connect from mx47246.payrollloan.info[50.30.47.246]
SMTPD: NOQUEUE: reject: RCPT from mx47246.payrollloan.info[50.30.47.246]: 550 5.7.23 <[email protected]>: Recipient address rejected: SPF rejected because access neither permitted nor denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mx47246.payrollloan.info>
SMTPD: disconnect from mx47246.payrollloan.info[50.30.47.246] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6

Im looking for the same behavior as postfix reject_sender_login_mismatch, however i want dovecot to handle this.

Starting since version 2.3 Dovecot offers a submission SMTP:587 server. I like this and it makes more logic to me, dovecot is already handling imap/pop3 services so why shouldn't you be able to send emails with the same service.

This must not be widely used because i can not find any information other than the very light documentation at the link above. Everything i find online explains how to have postfix talk to dovecot through "private/auth" to get user authentication to match against the From: address.

This is bonkers to me. Why bother having dovecot listen on port 587 if it has to send the email to postfix, for postfix to turn around and connect back to dovecot to get auth info to decide if the email matches? Dovecot should decide this before sending the email to postfix since it already has the connection, the user authentication, and list of valid emails.

Im running (CentOS8) dovecot 2.3.8 and postfix 3.3.1 with both talking to sql for user account info. Postfix is only listening on port 25 for incoming mail and dovecot is handling all things imap on ports 143, 993 and 587.

Does anyone know how to do this in dovecot or can point me in the right direction?