Adding upstream version 1:2.3.21+dfsg1.upstream/1%2.3.21+dfsg1

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

10 files changed, 2521 insertions, 0 deletions

diff --git a/src/submission-login/Makefile.am b/src/submission-login/Makefile.am
new file mode 100644
index 0000000..2385faf
--- /dev/null
+++ b/src/submission-login/Makefile.am
@@ -0,0 +1,32 @@
+pkglibexecdir = $(libexecdir)/dovecot
+
+pkglibexec_PROGRAMS = submission-login
+
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/lib \
+	-I$(top_srcdir)/src/lib-settings \
+	-I$(top_srcdir)/src/lib-sasl \
+	-I$(top_srcdir)/src/lib-auth \
+	-I$(top_srcdir)/src/lib-master \
+	-I$(top_srcdir)/src/lib-smtp \
+	-I$(top_srcdir)/src/login-common
+
+submission_login_LDADD = \
+	$(LIBDOVECOT_LOGIN) \
+	$(LIBDOVECOT) \
+	$(SSL_LIBS)
+submission_login_DEPENDENCIES = \
+	$(LIBDOVECOT_LOGIN) \
+	$(LIBDOVECOT_DEPS)
+
+submission_login_SOURCES = \
+	client.c \
+	client-authenticate.c \
+	submission-login-settings.c \
+	submission-proxy.c
+
+noinst_HEADERS = \
+	client.h \
+	client-authenticate.h \
+	submission-login-settings.h \
+	submission-proxy.h
diff --git a/src/submission-login/Makefile.in b/src/submission-login/Makefile.in
new file mode 100644
index 0000000..7417007
--- /dev/null
+++ b/src/submission-login/Makefile.in
@@ -0,0 +1,830 @@
+# Makefile.in generated by automake 1.16.3 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2020 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+
+VPATH = @srcdir@
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+pkglibexec_PROGRAMS = submission-login$(EXEEXT)
+subdir = src/submission-login
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/ac_checktype2.m4 \
+	$(top_srcdir)/m4/ac_typeof.m4 $(top_srcdir)/m4/arc4random.m4 \
+	$(top_srcdir)/m4/blockdev.m4 $(top_srcdir)/m4/c99_vsnprintf.m4 \
+	$(top_srcdir)/m4/clock_gettime.m4 $(top_srcdir)/m4/crypt.m4 \
+	$(top_srcdir)/m4/crypt_xpg6.m4 $(top_srcdir)/m4/dbqlk.m4 \
+	$(top_srcdir)/m4/dirent_dtype.m4 $(top_srcdir)/m4/dovecot.m4 \
+	$(top_srcdir)/m4/fd_passing.m4 $(top_srcdir)/m4/fdatasync.m4 \
+	$(top_srcdir)/m4/flexible_array_member.m4 \
+	$(top_srcdir)/m4/glibc.m4 $(top_srcdir)/m4/gmtime_max.m4 \
+	$(top_srcdir)/m4/gmtime_tm_gmtoff.m4 \
+	$(top_srcdir)/m4/ioloop.m4 $(top_srcdir)/m4/iovec.m4 \
+	$(top_srcdir)/m4/ipv6.m4 $(top_srcdir)/m4/libcap.m4 \
+	$(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/libwrap.m4 \
+	$(top_srcdir)/m4/linux_mremap.m4 $(top_srcdir)/m4/ltoptions.m4 \
+	$(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
+	$(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/m4/mmap_write.m4 \
+	$(top_srcdir)/m4/mntctl.m4 $(top_srcdir)/m4/modules.m4 \
+	$(top_srcdir)/m4/notify.m4 $(top_srcdir)/m4/nsl.m4 \
+	$(top_srcdir)/m4/off_t_max.m4 $(top_srcdir)/m4/pkg.m4 \
+	$(top_srcdir)/m4/pr_set_dumpable.m4 \
+	$(top_srcdir)/m4/q_quotactl.m4 $(top_srcdir)/m4/quota.m4 \
+	$(top_srcdir)/m4/random.m4 $(top_srcdir)/m4/rlimit.m4 \
+	$(top_srcdir)/m4/sendfile.m4 $(top_srcdir)/m4/size_t_signed.m4 \
+	$(top_srcdir)/m4/sockpeercred.m4 $(top_srcdir)/m4/sql.m4 \
+	$(top_srcdir)/m4/ssl.m4 $(top_srcdir)/m4/st_tim.m4 \
+	$(top_srcdir)/m4/static_array.m4 $(top_srcdir)/m4/test_with.m4 \
+	$(top_srcdir)/m4/time_t.m4 $(top_srcdir)/m4/typeof.m4 \
+	$(top_srcdir)/m4/typeof_dev_t.m4 \
+	$(top_srcdir)/m4/uoff_t_max.m4 $(top_srcdir)/m4/vararg.m4 \
+	$(top_srcdir)/m4/want_apparmor.m4 \
+	$(top_srcdir)/m4/want_bsdauth.m4 \
+	$(top_srcdir)/m4/want_bzlib.m4 \
+	$(top_srcdir)/m4/want_cassandra.m4 \
+	$(top_srcdir)/m4/want_cdb.m4 \
+	$(top_srcdir)/m4/want_checkpassword.m4 \
+	$(top_srcdir)/m4/want_clucene.m4 $(top_srcdir)/m4/want_db.m4 \
+	$(top_srcdir)/m4/want_gssapi.m4 $(top_srcdir)/m4/want_icu.m4 \
+	$(top_srcdir)/m4/want_ldap.m4 $(top_srcdir)/m4/want_lua.m4 \
+	$(top_srcdir)/m4/want_lz4.m4 $(top_srcdir)/m4/want_lzma.m4 \
+	$(top_srcdir)/m4/want_mysql.m4 $(top_srcdir)/m4/want_pam.m4 \
+	$(top_srcdir)/m4/want_passwd.m4 $(top_srcdir)/m4/want_pgsql.m4 \
+	$(top_srcdir)/m4/want_prefetch.m4 \
+	$(top_srcdir)/m4/want_shadow.m4 \
+	$(top_srcdir)/m4/want_sodium.m4 $(top_srcdir)/m4/want_solr.m4 \
+	$(top_srcdir)/m4/want_sqlite.m4 \
+	$(top_srcdir)/m4/want_stemmer.m4 \
+	$(top_srcdir)/m4/want_systemd.m4 \
+	$(top_srcdir)/m4/want_textcat.m4 \
+	$(top_srcdir)/m4/want_unwind.m4 $(top_srcdir)/m4/want_zlib.m4 \
+	$(top_srcdir)/m4/want_zstd.m4 $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(noinst_HEADERS) \
+	$(am__DIST_COMMON)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__installdirs = "$(DESTDIR)$(pkglibexecdir)"
+PROGRAMS = $(pkglibexec_PROGRAMS)
+am_submission_login_OBJECTS = client.$(OBJEXT) \
+	client-authenticate.$(OBJEXT) \
+	submission-login-settings.$(OBJEXT) submission-proxy.$(OBJEXT)
+submission_login_OBJECTS = $(am_submission_login_OBJECTS)
+am__DEPENDENCIES_1 =
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 = 
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__maybe_remake_depfiles = depfiles
+am__depfiles_remade = ./$(DEPDIR)/client-authenticate.Po \
+	./$(DEPDIR)/client.Po ./$(DEPDIR)/submission-login-settings.Po \
+	./$(DEPDIR)/submission-proxy.Po
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC      " $@;
+am__v_CC_1 = 
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD    " $@;
+am__v_CCLD_1 = 
+SOURCES = $(submission_login_SOURCES)
+DIST_SOURCES = $(submission_login_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+HEADERS = $(noinst_HEADERS)
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates.  Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+  BEGIN { nonempty = 0; } \
+  { items[$$0] = 1; nonempty = 1; } \
+  END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique.  This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+  list='$(am__tagged_files)'; \
+  unique=`for i in $$list; do \
+    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+  done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+pkglibexecdir = $(libexecdir)/dovecot
+ACLOCAL = @ACLOCAL@
+ACLOCAL_AMFLAGS = @ACLOCAL_AMFLAGS@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+APPARMOR_LIBS = @APPARMOR_LIBS@
+AR = @AR@
+AUTH_CFLAGS = @AUTH_CFLAGS@
+AUTH_LIBS = @AUTH_LIBS@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BINARY_CFLAGS = @BINARY_CFLAGS@
+BINARY_LDFLAGS = @BINARY_LDFLAGS@
+BISON = @BISON@
+CASSANDRA_CFLAGS = @CASSANDRA_CFLAGS@
+CASSANDRA_LIBS = @CASSANDRA_LIBS@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CDB_LIBS = @CDB_LIBS@
+CFLAGS = @CFLAGS@
+CLUCENE_CFLAGS = @CLUCENE_CFLAGS@
+CLUCENE_LIBS = @CLUCENE_LIBS@
+COMPRESS_LIBS = @COMPRESS_LIBS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CRYPT_LIBS = @CRYPT_LIBS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DICT_LIBS = @DICT_LIBS@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+FLEX = @FLEX@
+FUZZER_CPPFLAGS = @FUZZER_CPPFLAGS@
+FUZZER_LDFLAGS = @FUZZER_LDFLAGS@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+KRB5CONFIG = @KRB5CONFIG@
+KRB5_CFLAGS = @KRB5_CFLAGS@
+KRB5_LIBS = @KRB5_LIBS@
+LD = @LD@
+LDAP_LIBS = @LDAP_LIBS@
+LDFLAGS = @LDFLAGS@
+LD_NO_WHOLE_ARCHIVE = @LD_NO_WHOLE_ARCHIVE@
+LD_WHOLE_ARCHIVE = @LD_WHOLE_ARCHIVE@
+LIBCAP = @LIBCAP@
+LIBDOVECOT = @LIBDOVECOT@
+LIBDOVECOT_COMPRESS = @LIBDOVECOT_COMPRESS@
+LIBDOVECOT_DEPS = @LIBDOVECOT_DEPS@
+LIBDOVECOT_DSYNC = @LIBDOVECOT_DSYNC@
+LIBDOVECOT_LA_LIBS = @LIBDOVECOT_LA_LIBS@
+LIBDOVECOT_LDA = @LIBDOVECOT_LDA@
+LIBDOVECOT_LDAP = @LIBDOVECOT_LDAP@
+LIBDOVECOT_LIBFTS = @LIBDOVECOT_LIBFTS@
+LIBDOVECOT_LIBFTS_DEPS = @LIBDOVECOT_LIBFTS_DEPS@
+LIBDOVECOT_LOGIN = @LIBDOVECOT_LOGIN@
+LIBDOVECOT_LUA = @LIBDOVECOT_LUA@
+LIBDOVECOT_LUA_DEPS = @LIBDOVECOT_LUA_DEPS@
+LIBDOVECOT_SQL = @LIBDOVECOT_SQL@
+LIBDOVECOT_STORAGE = @LIBDOVECOT_STORAGE@
+LIBDOVECOT_STORAGE_DEPS = @LIBDOVECOT_STORAGE_DEPS@
+LIBEXTTEXTCAT_CFLAGS = @LIBEXTTEXTCAT_CFLAGS@
+LIBEXTTEXTCAT_LIBS = @LIBEXTTEXTCAT_LIBS@
+LIBICONV = @LIBICONV@
+LIBICU_CFLAGS = @LIBICU_CFLAGS@
+LIBICU_LIBS = @LIBICU_LIBS@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBSODIUM_CFLAGS = @LIBSODIUM_CFLAGS@
+LIBSODIUM_LIBS = @LIBSODIUM_LIBS@
+LIBTIRPC_CFLAGS = @LIBTIRPC_CFLAGS@
+LIBTIRPC_LIBS = @LIBTIRPC_LIBS@
+LIBTOOL = @LIBTOOL@
+LIBUNWIND_CFLAGS = @LIBUNWIND_CFLAGS@
+LIBUNWIND_LIBS = @LIBUNWIND_LIBS@
+LIBWRAP_LIBS = @LIBWRAP_LIBS@
+LINKED_STORAGE_LDADD = @LINKED_STORAGE_LDADD@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBICONV = @LTLIBICONV@
+LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
+LUA_CFLAGS = @LUA_CFLAGS@
+LUA_LIBS = @LUA_LIBS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MODULE_LIBS = @MODULE_LIBS@
+MODULE_SUFFIX = @MODULE_SUFFIX@
+MYSQL_CFLAGS = @MYSQL_CFLAGS@
+MYSQL_CONFIG = @MYSQL_CONFIG@
+MYSQL_LIBS = @MYSQL_LIBS@
+NM = @NM@
+NMEDIT = @NMEDIT@
+NOPLUGIN_LDFLAGS = @NOPLUGIN_LDFLAGS@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PANDOC = @PANDOC@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PGSQL_CFLAGS = @PGSQL_CFLAGS@
+PGSQL_LIBS = @PGSQL_LIBS@
+PG_CONFIG = @PG_CONFIG@
+PIE_CFLAGS = @PIE_CFLAGS@
+PIE_LDFLAGS = @PIE_LDFLAGS@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+QUOTA_LIBS = @QUOTA_LIBS@
+RANLIB = @RANLIB@
+RELRO_LDFLAGS = @RELRO_LDFLAGS@
+RPCGEN = @RPCGEN@
+RUN_TEST = @RUN_TEST@
+SED = @SED@
+SETTING_FILES = @SETTING_FILES@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SQLITE_CFLAGS = @SQLITE_CFLAGS@
+SQLITE_LIBS = @SQLITE_LIBS@
+SQL_CFLAGS = @SQL_CFLAGS@
+SQL_LIBS = @SQL_LIBS@
+SSL_CFLAGS = @SSL_CFLAGS@
+SSL_LIBS = @SSL_LIBS@
+STRIP = @STRIP@
+SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@
+SYSTEMD_LIBS = @SYSTEMD_LIBS@
+VALGRIND = @VALGRIND@
+VERSION = @VERSION@
+ZSTD_CFLAGS = @ZSTD_CFLAGS@
+ZSTD_LIBS = @ZSTD_LIBS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dict_drivers = @dict_drivers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+moduledir = @moduledir@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+rundir = @rundir@
+runstatedir = @runstatedir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+sql_drivers = @sql_drivers@
+srcdir = @srcdir@
+ssldir = @ssldir@
+statedir = @statedir@
+sysconfdir = @sysconfdir@
+systemdservicetype = @systemdservicetype@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+AM_CPPFLAGS = \
+	-I$(top_srcdir)/src/lib \
+	-I$(top_srcdir)/src/lib-settings \
+	-I$(top_srcdir)/src/lib-sasl \
+	-I$(top_srcdir)/src/lib-auth \
+	-I$(top_srcdir)/src/lib-master \
+	-I$(top_srcdir)/src/lib-smtp \
+	-I$(top_srcdir)/src/login-common
+
+submission_login_LDADD = \
+	$(LIBDOVECOT_LOGIN) \
+	$(LIBDOVECOT) \
+	$(SSL_LIBS)
+
+submission_login_DEPENDENCIES = \
+	$(LIBDOVECOT_LOGIN) \
+	$(LIBDOVECOT_DEPS)
+
+submission_login_SOURCES = \
+	client.c \
+	client-authenticate.c \
+	submission-login-settings.c \
+	submission-proxy.c
+
+noinst_HEADERS = \
+	client.h \
+	client-authenticate.h \
+	submission-login-settings.h \
+	submission-proxy.h
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/submission-login/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign src/submission-login/Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-pkglibexecPROGRAMS: $(pkglibexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	@list='$(pkglibexec_PROGRAMS)'; test -n "$(pkglibexecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(pkglibexecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(pkglibexecdir)" || exit 1; \
+	fi; \
+	for p in $$list; do echo "$$p $$p"; done | \
+	sed 's/$(EXEEXT)$$//' | \
+	while read p p1; do if test -f $$p \
+	 || test -f $$p1 \
+	  ; then echo "$$p"; echo "$$p"; else :; fi; \
+	done | \
+	sed -e 'p;s,.*/,,;n;h' \
+	    -e 's|.*|.|' \
+	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
+	sed 'N;N;N;s,\n, ,g' | \
+	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
+	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
+	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
+	    else { print "f", $$3 "/" $$4, $$1; } } \
+	  END { for (d in files) print "f", d, files[d] }' | \
+	while read type dir files; do \
+	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
+	    test -z "$$files" || { \
+	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(pkglibexecdir)$$dir'"; \
+	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(pkglibexecdir)$$dir" || exit $$?; \
+	    } \
+	; done
+
+uninstall-pkglibexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(pkglibexec_PROGRAMS)'; test -n "$(pkglibexecdir)" || list=; \
+	files=`for p in $$list; do echo "$$p"; done | \
+	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
+	      -e 's/$$/$(EXEEXT)/' \
+	`; \
+	test -n "$$list" || exit 0; \
+	echo " ( cd '$(DESTDIR)$(pkglibexecdir)' && rm -f" $$files ")"; \
+	cd "$(DESTDIR)$(pkglibexecdir)" && rm -f $$files
+
+clean-pkglibexecPROGRAMS:
+	@list='$(pkglibexec_PROGRAMS)'; test -n "$$list" || exit 0; \
+	echo " rm -f" $$list; \
+	rm -f $$list || exit $$?; \
+	test -n "$(EXEEXT)" || exit 0; \
+	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+	echo " rm -f" $$list; \
+	rm -f $$list
+
+submission-login$(EXEEXT): $(submission_login_OBJECTS) $(submission_login_DEPENDENCIES) $(EXTRA_submission_login_DEPENDENCIES) 
+	@rm -f submission-login$(EXEEXT)
+	$(AM_V_CCLD)$(LINK) $(submission_login_OBJECTS) $(submission_login_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/client-authenticate.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/client.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/submission-login-settings.Po@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/submission-proxy.Po@am__quote@ # am--include-marker
+
+$(am__depfiles_remade):
+	@$(MKDIR_P) $(@D)
+	@echo '# dummy' >$@-t && $(am__mv) $@-t $@
+
+am--depfiles: $(am__depfiles_remade)
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+	$(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	set x; \
+	here=`pwd`; \
+	$(am__define_uniq_tagged_files); \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+	$(am__define_uniq_tagged_files); \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+	list='$(am__tagged_files)'; \
+	case "$(srcdir)" in \
+	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+	  *) sdir=$(subdir)/$(srcdir) ;; \
+	esac; \
+	for i in $$list; do \
+	  if test -f "$$i"; then \
+	    echo "$(subdir)/$$i"; \
+	  else \
+	    echo "$$sdir/$$i"; \
+	  fi; \
+	done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) distdir-am
+
+distdir-am: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(PROGRAMS) $(HEADERS)
+installdirs:
+	for dir in "$(DESTDIR)$(pkglibexecdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pkglibexecPROGRAMS \
+	mostlyclean-am
+
+distclean: distclean-am
+		-rm -f ./$(DEPDIR)/client-authenticate.Po
+	-rm -f ./$(DEPDIR)/client.Po
+	-rm -f ./$(DEPDIR)/submission-login-settings.Po
+	-rm -f ./$(DEPDIR)/submission-proxy.Po
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am: install-pkglibexecPROGRAMS
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+		-rm -f ./$(DEPDIR)/client-authenticate.Po
+	-rm -f ./$(DEPDIR)/client.Po
+	-rm -f ./$(DEPDIR)/submission-login-settings.Po
+	-rm -f ./$(DEPDIR)/submission-proxy.Po
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pkglibexecPROGRAMS
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \
+	clean-generic clean-libtool clean-pkglibexecPROGRAMS \
+	cscopelist-am ctags ctags-am distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dvi install-dvi-am \
+	install-exec install-exec-am install-html install-html-am \
+	install-info install-info-am install-man install-pdf \
+	install-pdf-am install-pkglibexecPROGRAMS install-ps \
+	install-ps-am install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
+	uninstall-am uninstall-pkglibexecPROGRAMS
+
+.PRECIOUS: Makefile
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/submission-login/client-authenticate.c b/src/submission-login/client-authenticate.c
new file mode 100644
index 0000000..e1a5ae2
--- /dev/null
+++ b/src/submission-login/client-authenticate.c
@@ -0,0 +1,360 @@
+/* Copyright (c) 2013-2018 Dovecot authors, see the included COPYING file */
+
+#include "login-common.h"
+#include "base64.h"
+#include "buffer.h"
+#include "hex-binary.h"
+#include "ioloop.h"
+#include "istream.h"
+#include "ostream.h"
+#include "safe-memset.h"
+#include "str.h"
+#include "str-sanitize.h"
+#include "auth-client.h"
+#include "master-service-ssl-settings.h"
+#include "client.h"
+#include "client-authenticate.h"
+#include "submission-proxy.h"
+#include "submission-login-settings.h"
+
+static void cmd_helo_reply(struct submission_client *subm_client,
+			   struct smtp_server_cmd_ctx *cmd,
+			   struct smtp_server_cmd_helo *data)
+{
+	struct client *client = &subm_client->common;
+	const struct submission_login_settings *set = subm_client->set;
+	enum smtp_capability backend_caps = subm_client->backend_capabilities;
+	bool exotic_backend =
+		HAS_ALL_BITS(set->parsed_workarounds,
+			     SUBMISSION_LOGIN_WORKAROUND_EXOTIC_BACKEND);
+	struct smtp_server_reply *reply;
+
+	reply = smtp_server_reply_create_ehlo(cmd->cmd);
+	if (!data->helo.old_smtp) {
+		if ((backend_caps & SMTP_CAPABILITY_8BITMIME) != 0)
+			smtp_server_reply_ehlo_add(reply, "8BITMIME");
+
+		if (client->secured ||
+			strcmp(client->ssl_set->ssl, "required") != 0) {
+			const struct auth_mech_desc *mechs;
+			unsigned int count, i;
+			string_t *param = t_str_new(128);
+
+			mechs = sasl_server_get_advertised_mechs(client,
+								 &count);
+			for (i = 0; i < count; i++) {
+				if (i > 0)
+					str_append_c(param, ' ');
+				str_append(param, mechs[i].name);
+			}
+			smtp_server_reply_ehlo_add_param(reply,
+				"AUTH", "%s", str_c(param));
+		}
+
+		if ((backend_caps & SMTP_CAPABILITY_BINARYMIME) != 0 &&
+		    (backend_caps & SMTP_CAPABILITY_CHUNKING) != 0)
+			smtp_server_reply_ehlo_add(reply, "BINARYMIME");
+		if (!exotic_backend ||
+		    (backend_caps & SMTP_CAPABILITY_BURL) != 0) {
+			smtp_server_reply_ehlo_add_param(reply, "BURL", "imap");
+		}
+		if (!exotic_backend ||
+		    (backend_caps & SMTP_CAPABILITY_CHUNKING) != 0) {
+			smtp_server_reply_ehlo_add(reply,
+				"CHUNKING");
+		}
+		if ((backend_caps & SMTP_CAPABILITY_DSN) != 0)
+			smtp_server_reply_ehlo_add(reply, "DSN");
+		if (!exotic_backend ||
+		    (backend_caps & SMTP_CAPABILITY_ENHANCEDSTATUSCODES) != 0) {
+			smtp_server_reply_ehlo_add(
+				reply, "ENHANCEDSTATUSCODES");
+		}
+
+		if (subm_client->set->submission_max_mail_size > 0) {
+			smtp_server_reply_ehlo_add_param(reply,
+				"SIZE", "%"PRIuUOFF_T,
+				subm_client->set->submission_max_mail_size);
+		} else if (!exotic_backend ||
+			   (backend_caps & SMTP_CAPABILITY_SIZE) != 0) {
+			smtp_server_reply_ehlo_add(reply, "SIZE");
+		}
+
+		if (client_is_tls_enabled(client) && !client->tls)
+			smtp_server_reply_ehlo_add(reply, "STARTTLS");
+		if (!exotic_backend ||
+		    (backend_caps & SMTP_CAPABILITY_PIPELINING) != 0)
+			smtp_server_reply_ehlo_add(reply, "PIPELINING");
+		if ((backend_caps & SMTP_CAPABILITY_VRFY) != 0)
+			smtp_server_reply_ehlo_add(reply, "VRFY");
+		smtp_server_reply_ehlo_add_xclient(reply);
+	}
+	smtp_server_reply_submit(reply);
+}
+
+int cmd_helo(void *conn_ctx, struct smtp_server_cmd_ctx *cmd,
+	     struct smtp_server_cmd_helo *data)
+{
+	struct submission_client *subm_client = conn_ctx;
+
+	T_BEGIN {
+		cmd_helo_reply(subm_client, cmd, data);
+	} T_END;
+
+	return 1;
+}
+
+void submission_client_auth_result(struct client *client,
+	enum client_auth_result result,
+	const struct client_auth_reply *reply ATTR_UNUSED,
+	const char *text)
+{
+	struct submission_client *subm_client =
+		container_of(client, struct submission_client, common);
+	struct smtp_server_cmd_ctx *cmd = subm_client->pending_auth;
+
+	if (subm_client->conn == NULL)
+		return;
+
+	subm_client->pending_auth = NULL;
+	i_assert(cmd != NULL);
+
+	switch (result) {
+	case CLIENT_AUTH_RESULT_SUCCESS:
+		/* nothing to be done for SMTP */
+		if (client->login_proxy != NULL)
+			subm_client->pending_auth = cmd;
+		break;
+	case CLIENT_AUTH_RESULT_TEMPFAIL:
+		/* RFC4954, Section 6:
+
+		   454 4.7.0 Temporary authentication failure
+
+		   This response to the AUTH command indicates that the
+		   authentication failed due to a temporary server failure.
+		 */
+		smtp_server_reply(cmd, 454, "4.7.0", "%s", text);
+		break;
+	case CLIENT_AUTH_RESULT_ABORTED:
+		/* RFC4954, Section 4:
+
+		   If the client wishes to cancel the authentication exchange,
+		   it issues a line with a single "*". If the server receives
+		   such a response, it MUST reject the AUTH command by sending
+		   a 501 reply. */
+		smtp_server_reply(cmd, 501, "5.5.2", "%s", text);
+		break;
+	case CLIENT_AUTH_RESULT_INVALID_BASE64:
+		/* RFC4954, Section 4:
+
+		   If the server cannot [BASE64] decode any client response, it
+		   MUST reject the AUTH command with a 501 reply (and an
+		   enhanced status code of 5.5.2). */
+		smtp_server_reply(cmd, 501, "5.5.2", "%s", text);
+		break;
+	case CLIENT_AUTH_RESULT_SSL_REQUIRED:
+		/* RFC3207, Section 4:
+
+		   A SMTP server that is not publicly referenced may choose to
+		   require that the client perform a TLS negotiation before
+		   accepting any commands.  In this case, the server SHOULD
+		   return the reply code:
+
+		   530 Must issue a STARTTLS command first
+
+		   to every command other than NOOP, EHLO, STARTTLS, or QUIT.
+		   If the client and server are using the ENHANCEDSTATUSCODES
+		   ESMTP extension [RFC2034], the status code to be returned
+		   SHOULD be 5.7.0. */
+		smtp_server_reply(cmd, 530, "5.7.0", "%s", text);
+		break;
+	case CLIENT_AUTH_RESULT_MECH_SSL_REQUIRED:
+		/* RFC5248, Section 2.4:
+
+		   523 X.7.10 Encryption Needed
+
+		   This indicates that an external strong privacy layer is
+		   needed in order to use the requested authentication
+		   mechanism. This is primarily intended for use with clear text
+		   authentication mechanisms. A client that receives this may
+		   activate a security layer such as TLS prior to
+		   authenticating, or attempt to use a stronger mechanism. */
+		smtp_server_reply(cmd, 523, "5.7.10", "%s", text);
+		break;
+	case CLIENT_AUTH_RESULT_MECH_INVALID:
+		/* RFC4954, Section 4:
+
+		   If the requested authentication mechanism is invalid (e.g.,
+		   is not supported or requires an encryption layer), the server
+		   rejects the AUTH command with a 504 reply.  If the server
+		   supports the [ESMTP-CODES] extension, it SHOULD return a
+		   5.5.4 enhanced response code. */
+		smtp_server_reply(cmd, 504, "5.5.4", "%s", text);
+		break;
+	case CLIENT_AUTH_RESULT_LOGIN_DISABLED:
+	case CLIENT_AUTH_RESULT_ANONYMOUS_DENIED:
+		/* RFC5248, Section 2.4:
+
+		   525 X.7.13 User Account Disabled
+
+		   Sometimes a system administrator will have to disable a
+		   user's account (e.g., due to lack of payment, abuse, evidence
+		   of a break-in attempt, etc.). This error code occurs after a
+		   successful authentication to a disabled account. This informs
+		   the client that the failure is permanent until the user
+		   contacts their system administrator to get the account
+		   re-enabled. */
+		smtp_server_reply(cmd, 525, "5.7.13", "%s", text);
+		break;
+	case CLIENT_AUTH_RESULT_PASS_EXPIRED:
+	default:
+		/* FIXME: RFC4954, Section 4:
+
+		   If the client uses an initial-response argument to the AUTH
+		   command with a SASL mechanism in which the client does not
+		   begin the authentication exchange, the server MUST reject the
+		   AUTH command with a 501 reply.  Servers using the enhanced
+		   status codes extension [ESMTP-CODES] SHOULD return an
+		   enhanced status code of 5.7.0 in this case.
+
+		   >> Currently, this is checked at the server side, but only a
+		      generic error is ever produced.
+		*/
+		/* NOTE: RFC4954, Section 4:
+
+		   If, during an authentication exchange, the server receives a
+		   line that is longer than the server's authentication buffer,
+		   the server fails the AUTH command with the 500 reply. Servers
+		   using the enhanced status codes extension [ESMTP-CODES]
+		   SHOULD return an enhanced status code of 5.5.6 in this case.
+
+		   >> Currently, client is disconnected from login-common.
+		*/
+		/* RFC4954, Section 4:
+
+		   If the server is unable to authenticate the client, it SHOULD
+		   reject the AUTH command with a 535 reply unless a more
+		   specific error code is appropriate.
+
+		   RFC4954, Section 6:
+
+		   535 5.7.8  Authentication credentials invalid
+
+		   This response to the AUTH command indicates that the
+		   authentication failed due to invalid or insufficient
+		   authentication credentials.
+		 */
+		smtp_server_reply(cmd, 535, "5.7.8", "%s", text);
+		break;
+	}
+}
+
+int cmd_auth_continue(void *conn_ctx,
+		      struct smtp_server_cmd_ctx *cmd ATTR_UNUSED,
+		      const char *response)
+{
+	struct submission_client *subm_client = conn_ctx;
+	struct client *client = &subm_client->common;
+
+	if (strcmp(response, "*") == 0) {
+		client_auth_abort(client);
+		return 0;
+	}
+
+	client_auth_respond(client, response);
+	return 0;
+}
+
+void submission_client_auth_send_challenge(struct client *client,
+					   const char *data)
+{
+	struct submission_client *subm_client =
+		container_of(client, struct submission_client, common);
+	struct smtp_server_cmd_ctx *cmd = subm_client->pending_auth;
+
+	i_assert(cmd != NULL);
+
+	smtp_server_cmd_auth_send_challenge(cmd, data);
+}
+
+static void
+cmd_auth_set_master_data_prefix(struct submission_client *subm_client,
+				const char *mail_params) ATTR_NULL(2)
+{
+	struct client *client = &subm_client->common;
+	struct smtp_server_helo_data *helo;
+	struct smtp_proxy_data proxy;
+
+	buffer_t *buf = buffer_create_dynamic(default_pool, 2048);
+
+	/* pass ehlo parameter to post-login service upon successful login */
+	helo = smtp_server_connection_get_helo_data(subm_client->conn);
+	if (helo->domain_valid) {
+		i_assert(helo->domain != NULL);
+		buffer_append(buf, helo->domain, strlen(helo->domain));
+	}
+	buffer_append_c(buf, '\0');
+
+	/* pass proxied ehlo parameter to post-login service upon successful
+	   login */
+	smtp_server_connection_get_proxy_data(subm_client->conn, &proxy);
+	if (proxy.helo != NULL)
+		buffer_append(buf, proxy.helo, strlen(proxy.helo));
+	buffer_append_c(buf, '\0');
+
+	/* Pass MAIL command to post-login service if any. */
+	if (mail_params != NULL) {
+		buffer_append(buf, "MAIL ", 5);
+		buffer_append(buf, mail_params, strlen(mail_params));
+		buffer_append(buf, "\r\n", 2);
+	}
+
+	i_free(client->master_data_prefix);
+	client->master_data_prefix_len = buf->used;
+	client->master_data_prefix = buffer_free_without_data(&buf);
+}
+
+int cmd_auth(void *conn_ctx, struct smtp_server_cmd_ctx *cmd,
+	     struct smtp_server_cmd_auth *data)
+{
+	struct submission_client *subm_client = conn_ctx;
+	struct client *client = &subm_client->common;
+
+	cmd_auth_set_master_data_prefix(subm_client, NULL);
+
+	i_assert(subm_client->pending_auth == NULL);
+	subm_client->pending_auth = cmd;
+
+	(void)client_auth_begin(client, data->sasl_mech, data->initial_response);
+	return 0;
+}
+
+void cmd_mail(struct smtp_server_cmd_ctx *cmd, const char *params)
+{
+	struct smtp_server_connection *conn = cmd->conn;
+	struct submission_client *subm_client =
+		smtp_server_connection_get_context(conn);
+	struct client *client = &subm_client->common;
+	enum submission_login_client_workarounds workarounds =
+		subm_client->set->parsed_workarounds;
+
+	if (HAS_NO_BITS(workarounds,
+			SUBMISSION_LOGIN_WORKAROUND_IMPLICIT_AUTH_EXTERNAL) ||
+	    sasl_server_find_available_mech(client, "EXTERNAL") == NULL) {
+		smtp_server_command_fail(cmd->cmd, 530, "5.7.0",
+					 "Authentication required.");
+		return;
+	}
+
+	e_debug(cmd->event,
+		"Performing implicit EXTERNAL authentication");
+
+	smtp_server_command_input_lock(cmd);
+
+	cmd_auth_set_master_data_prefix(subm_client, params);
+
+	i_assert(subm_client->pending_auth == NULL);
+	subm_client->pending_auth = cmd;
+
+	(void)client_auth_begin_implicit(client, "EXTERNAL", "=");
+}
diff --git a/src/submission-login/client-authenticate.h b/src/submission-login/client-authenticate.h
new file mode 100644
index 0000000..8353b49
--- /dev/null
+++ b/src/submission-login/client-authenticate.h
@@ -0,0 +1,21 @@
+#ifndef CLIENT_AUTHENTICATE_H
+#define CLIENT_AUTHENTICATE_H
+
+void submission_client_auth_result(struct client *client,
+				   enum client_auth_result result,
+				   const struct client_auth_reply *reply,
+				   const char *text);
+
+void submission_client_auth_send_challenge(struct client *client,
+					   const char *data);
+
+int cmd_helo(void *conn_ctx, struct smtp_server_cmd_ctx *cmd,
+	     struct smtp_server_cmd_helo *data);
+int cmd_auth_continue(void *conn_ctx, struct smtp_server_cmd_ctx *cmd,
+		      const char *response);
+int cmd_auth(void *conn_ctx, struct smtp_server_cmd_ctx *cmd,
+	     struct smtp_server_cmd_auth *data);
+
+void cmd_mail(struct smtp_server_cmd_ctx *cmd, const char *params);
+
+#endif
diff --git a/src/submission-login/client.c b/src/submission-login/client.c
new file mode 100644
index 0000000..9922c9d
--- /dev/null
+++ b/src/submission-login/client.c
@@ -0,0 +1,329 @@
+/* Copyright (c) 2013-2018 Dovecot authors, see the included COPYING file */
+
+#include "login-common.h"
+#include "base64.h"
+#include "buffer.h"
+#include "ioloop.h"
+#include "istream.h"
+#include "ostream.h"
+#include "randgen.h"
+#include "hostpid.h"
+#include "safe-memset.h"
+#include "str.h"
+#include "strescape.h"
+#include "master-service.h"
+#include "master-service-ssl-settings.h"
+#include "client.h"
+#include "client-authenticate.h"
+#include "auth-client.h"
+#include "submission-proxy.h"
+#include "submission-login-settings.h"
+
+/* Disconnect client when it sends too many bad commands */
+#define CLIENT_MAX_BAD_COMMANDS 10
+
+static const struct smtp_server_callbacks smtp_callbacks;
+
+static struct smtp_server *smtp_server = NULL;
+
+static void
+client_parse_backend_capabilities(struct submission_client *subm_client )
+{
+	const struct submission_login_settings *set = subm_client->set;
+	const char *const *str;
+
+	if (set->submission_backend_capabilities == NULL) {
+		subm_client->backend_capabilities = SMTP_CAPABILITY_8BITMIME;
+		return;
+	}
+
+	subm_client->backend_capabilities = SMTP_CAPABILITY_NONE;
+	str = t_strsplit_spaces(set->submission_backend_capabilities, " ,");
+	for (; *str != NULL; str++) {
+		enum smtp_capability cap = smtp_capability_find_by_name(*str);
+
+		if (cap == SMTP_CAPABILITY_NONE) {
+			i_warning("Unknown SMTP capability in submission_backend_capabilities: "
+				  "%s", *str);
+			continue;
+		}
+
+		subm_client->backend_capabilities |= cap;
+	}
+
+	/* Make sure CHUNKING support is always enabled when BINARYMIME is
+	   enabled by explicit configuration. */
+	if (HAS_ALL_BITS(subm_client->backend_capabilities,
+			 SMTP_CAPABILITY_BINARYMIME)) {
+		subm_client->backend_capabilities |= SMTP_CAPABILITY_CHUNKING;
+	}
+}
+
+static int submission_login_start_tls(void *conn_ctx,
+	struct istream **input, struct ostream **output)
+{
+	struct submission_client *subm_client = conn_ctx;
+	struct client *client = &subm_client->common;
+
+	client->starttls = TRUE;
+	if (client_init_ssl(client) < 0) {
+		client_notify_disconnect(client,
+			CLIENT_DISCONNECT_INTERNAL_ERROR,
+			"TLS initialization failed.");
+		client_destroy(client,
+			"Disconnected: TLS initialization failed.");
+		return -1;
+	}
+	login_refresh_proctitle();
+
+	*input = client->input;
+	*output = client->output;
+	return 0;
+}
+
+static struct client *submission_client_alloc(pool_t pool)
+{
+	struct submission_client *subm_client;
+
+	subm_client = p_new(pool, struct submission_client, 1);
+	return &subm_client->common;
+}
+
+static void submission_client_create(struct client *client,
+				     void **other_sets)
+{
+	static const char *const xclient_extensions[] =
+		{ "FORWARD", NULL };
+	struct submission_client *subm_client =
+		container_of(client, struct submission_client, common);
+	struct smtp_server_settings smtp_set;
+
+	subm_client->set = other_sets[0];
+	client_parse_backend_capabilities(subm_client);
+
+	i_zero(&smtp_set);
+	smtp_set.capabilities = SMTP_CAPABILITY_SIZE |
+		SMTP_CAPABILITY_ENHANCEDSTATUSCODES | SMTP_CAPABILITY_AUTH |
+		SMTP_CAPABILITY_XCLIENT;
+	if (client_is_tls_enabled(client))
+		smtp_set.capabilities |= SMTP_CAPABILITY_STARTTLS;
+	smtp_set.hostname = subm_client->set->hostname;
+	smtp_set.login_greeting = client->set->login_greeting;
+	smtp_set.tls_required = !client->secured &&
+		(strcmp(client->ssl_set->ssl, "required") == 0);
+	smtp_set.xclient_extensions = xclient_extensions;
+	smtp_set.command_limits.max_parameters_size = LOGIN_MAX_INBUF_SIZE;
+	smtp_set.command_limits.max_auth_size = LOGIN_MAX_AUTH_BUF_SIZE;
+	smtp_set.debug = client->set->auth_debug;
+
+	subm_client->conn = smtp_server_connection_create_from_streams(
+		smtp_server, client->input, client->output,
+		&client->real_remote_ip, client->real_remote_port,
+		&smtp_set, &smtp_callbacks, subm_client);
+}
+
+static void submission_client_destroy(struct client *client)
+{
+	struct submission_client *subm_client =
+		container_of(client, struct submission_client, common);
+
+	if (subm_client->conn != NULL)
+		smtp_server_connection_close(&subm_client->conn, NULL);
+	i_free_and_null(subm_client->proxy_xclient);
+}
+
+static void submission_client_notify_auth_ready(struct client *client)
+{
+	struct submission_client *subm_client =
+		container_of(client, struct submission_client, common);
+
+	client->banner_sent = TRUE;
+	smtp_server_connection_start(subm_client->conn);
+}
+
+static void
+submission_client_notify_disconnect(struct client *_client,
+				    enum client_disconnect_reason reason,
+				    const char *text)
+{
+	struct submission_client *client =
+		container_of(_client, struct submission_client, common);
+	struct smtp_server_connection *conn;
+
+	conn = client->conn;
+	client->conn = NULL;
+	if (conn != NULL) {
+		switch (reason) {
+		case CLIENT_DISCONNECT_TIMEOUT:
+			smtp_server_connection_terminate(&conn, "4.4.2", text);
+			break;
+		case CLIENT_DISCONNECT_SYSTEM_SHUTDOWN:
+			smtp_server_connection_terminate(&conn, "4.3.2", text);
+			break;
+		case CLIENT_DISCONNECT_INTERNAL_ERROR:
+		default:
+			smtp_server_connection_terminate(&conn, "4.0.0", text);
+			break;
+		}
+	}
+}
+
+static void
+client_connection_cmd_xclient(void *context,
+			      struct smtp_server_cmd_ctx *cmd,
+			      struct smtp_proxy_data *data)
+{
+	unsigned int i;
+
+	struct submission_client *client = context;
+
+	if (data->source_ip.family != 0)
+		client->common.ip = data->source_ip;
+	if (data->source_port != 0)
+		client->common.remote_port = data->source_port;
+	if (data->ttl_plus_1 > 0)
+		client->common.proxy_ttl = data->ttl_plus_1 - 1;
+	if (data->session != NULL) {
+		client->common.session_id =
+			p_strdup(client->common.pool, data->session);
+	}
+
+	for (i = 0; i < data->extra_fields_count; i++) {
+		const char *name = data->extra_fields[i].name;
+		const char *value = data->extra_fields[i].value;
+
+		if (strcasecmp(name, "FORWARD") == 0) {
+			size_t value_len = strlen(value);
+			if (client->common.forward_fields != NULL) {
+				str_truncate(client->common.forward_fields, 0);
+			} else {
+				client->common.forward_fields =	str_new(
+					client->common.preproxy_pool,
+					MAX_BASE64_DECODED_SIZE(value_len));
+				if (base64_decode(value, value_len, NULL,
+					  client->common.forward_fields) < 0) {
+					smtp_server_reply(cmd, 501, "5.5.4",
+						"Invalid FORWARD parameter");
+				}
+			}
+		}
+	}
+}
+
+static void client_connection_disconnect(void *context, const char *reason)
+{
+	struct submission_client *client = context;
+
+	client->pending_auth = NULL;
+	client_disconnect(&client->common, reason,
+			  !client->common.login_success);
+}
+
+static void client_connection_free(void *context)
+{
+	struct submission_client *client = context;
+
+	if (client->conn == NULL)
+		return;
+	client->conn = NULL;
+	client_destroy(&client->common, NULL);
+}
+
+static bool client_connection_is_trusted(void *context)
+{
+	struct submission_client *client = context;
+
+	return client->common.trusted;
+}
+
+static void submission_login_die(void)
+{
+	/* do nothing. submission connections typically die pretty quick anyway.
+	 */
+}
+
+static void submission_login_preinit(void)
+{
+	login_set_roots = submission_login_setting_roots;
+}
+
+static void submission_login_init(void)
+{
+	struct smtp_server_settings smtp_server_set;
+
+	/* override the default login_die() */
+	master_service_set_die_callback(master_service, submission_login_die);
+
+	/* initialize SMTP server */
+	i_zero(&smtp_server_set);
+	smtp_server_set.protocol = SMTP_PROTOCOL_SMTP;
+	smtp_server_set.max_pipelined_commands = 5;
+	smtp_server_set.max_bad_commands = CLIENT_MAX_BAD_COMMANDS;
+	smtp_server_set.reason_code_module = "submission";
+	/* Pre-auth state is always logged either as GREETING or READY.
+	   It's not very useful. */
+	smtp_server_set.no_state_in_reason = TRUE;
+	smtp_server = smtp_server_init(&smtp_server_set);
+	smtp_server_command_override(smtp_server, "MAIL", cmd_mail,
+				     SMTP_SERVER_CMD_FLAG_PREAUTH);
+}
+
+static void submission_login_deinit(void)
+{
+	clients_destroy_all();
+
+	smtp_server_deinit(&smtp_server);
+}
+
+static const struct smtp_server_callbacks smtp_callbacks = {
+	.conn_cmd_helo = cmd_helo,
+
+	.conn_start_tls = submission_login_start_tls,
+
+	.conn_cmd_auth = cmd_auth,
+	.conn_cmd_auth_continue = cmd_auth_continue,
+
+	.conn_cmd_xclient = client_connection_cmd_xclient,
+
+	.conn_disconnect = client_connection_disconnect,
+	.conn_free = client_connection_free,
+
+	.conn_is_trusted = client_connection_is_trusted
+};
+
+static struct client_vfuncs submission_client_vfuncs = {
+	.alloc = submission_client_alloc,
+	.create = submission_client_create,
+	.destroy = submission_client_destroy,
+	.notify_auth_ready = submission_client_notify_auth_ready,
+	.notify_disconnect = submission_client_notify_disconnect,
+	.auth_send_challenge = submission_client_auth_send_challenge,
+	.auth_result = submission_client_auth_result,
+	.proxy_reset = submission_proxy_reset,
+	.proxy_parse_line = submission_proxy_parse_line,
+	.proxy_failed = submission_proxy_failed,
+	.proxy_get_state = submission_proxy_get_state,
+};
+
+static struct login_binary submission_login_binary = {
+	.protocol = "submission",
+	.process_name = "submission-login",
+	.default_port = 587,
+
+	.event_category = {
+		.name = "submission",
+	},
+
+	.client_vfuncs = &submission_client_vfuncs,
+	.preinit = submission_login_preinit,
+	.init = submission_login_init,
+	.deinit = submission_login_deinit,
+
+	.sasl_support_final_reply = FALSE,
+	.anonymous_login_acceptable = FALSE,
+};
+
+int main(int argc, char *argv[])
+{
+	return login_binary_run(&submission_login_binary, argc, argv);
+}
diff --git a/src/submission-login/client.h b/src/submission-login/client.h
new file mode 100644
index 0000000..ba932af
--- /dev/null
+++ b/src/submission-login/client.h
@@ -0,0 +1,38 @@
+#ifndef CLIENT_H
+#define CLIENT_H
+
+#include "net.h"
+#include "client-common.h"
+#include "auth-client.h"
+#include "smtp-server.h"
+
+enum submission_proxy_state {
+	SUBMISSION_PROXY_BANNER = 0,
+	SUBMISSION_PROXY_EHLO,
+	SUBMISSION_PROXY_STARTTLS,
+	SUBMISSION_PROXY_TLS_EHLO,
+	SUBMISSION_PROXY_XCLIENT,
+	SUBMISSION_PROXY_XCLIENT_EHLO,
+	SUBMISSION_PROXY_AUTHENTICATE,
+
+	SUBMISSION_PROXY_STATE_COUNT
+};
+
+struct submission_client {
+	struct client common;
+	const struct submission_login_settings *set;
+	enum smtp_capability backend_capabilities;
+
+	struct smtp_server_connection *conn;
+	struct smtp_server_cmd_ctx *pending_auth;
+
+	enum submission_proxy_state proxy_state;
+	enum smtp_capability proxy_capability;
+	char *proxy_sasl_ir;
+	unsigned int proxy_reply_status;
+	struct smtp_server_reply *proxy_reply;
+	const char **proxy_xclient;
+	unsigned int proxy_xclient_replies_expected;
+};
+
+#endif
diff --git a/src/submission-login/submission-login-settings.c b/src/submission-login/submission-login-settings.c
new file mode 100644
index 0000000..b35f97f
--- /dev/null
+++ b/src/submission-login/submission-login-settings.c
@@ -0,0 +1,166 @@
+/* Copyright (c) 2013-2018 Dovecot authors, see the included COPYING file */
+
+#include "lib.h"
+#include "hostpid.h"
+#include "buffer.h"
+#include "settings-parser.h"
+#include "service-settings.h"
+#include "login-settings.h"
+#include "submission-login-settings.h"
+
+#include <stddef.h>
+
+static bool
+submission_login_settings_check(void *_set, pool_t pool, const char **error_r);
+
+/* <settings checks> */
+static struct inet_listener_settings submission_login_inet_listeners_array[] = {
+	{ .name = "submission", .address = "", .port = 587  },
+	{ .name = "submissions", .address = "", .port = 465, .ssl = TRUE }
+};
+static struct inet_listener_settings *submission_login_inet_listeners[] = {
+	&submission_login_inet_listeners_array[0]
+};
+static buffer_t submission_login_inet_listeners_buf = {
+	{ { submission_login_inet_listeners,
+	    sizeof(submission_login_inet_listeners) } }
+};
+
+/* </settings checks> */
+struct service_settings submission_login_service_settings = {
+	.name = "submission-login",
+	.protocol = "submission",
+	.type = "login",
+	.executable = "submission-login",
+	.user = "$default_login_user",
+	.group = "",
+	.privileged_group = "",
+	.extra_groups = "",
+	.chroot = "login",
+
+	.drop_priv_before_exec = FALSE,
+
+	.process_min_avail = 0,
+	.process_limit = 0,
+	.client_limit = 0,
+	.service_count = 1,
+	.idle_kill = 0,
+	.vsz_limit = UOFF_T_MAX,
+
+	.unix_listeners = ARRAY_INIT,
+	.fifo_listeners = ARRAY_INIT,
+	.inet_listeners = { { &submission_login_inet_listeners_buf,
+			      sizeof(submission_login_inet_listeners[0]) } }
+};
+
+#undef DEF
+#define DEF(type, name) \
+	SETTING_DEFINE_STRUCT_##type(#name, name, struct submission_login_settings)
+
+static const struct setting_define submission_login_setting_defines[] = {
+	DEF(STR, hostname),
+
+	DEF(SIZE, submission_max_mail_size),
+	DEF(STR, submission_client_workarounds),
+	DEF(STR, submission_backend_capabilities),
+
+	SETTING_DEFINE_LIST_END
+};
+
+static const struct submission_login_settings submission_login_default_settings = {
+	.hostname = "",
+
+	.submission_max_mail_size = 0,
+	.submission_client_workarounds = "",
+	.submission_backend_capabilities = NULL
+};
+
+static const struct setting_parser_info *submission_login_setting_dependencies[] = {
+	&login_setting_parser_info,
+	NULL
+};
+
+const struct setting_parser_info submission_login_setting_parser_info = {
+	.module_name = "submission-login",
+	.defines = submission_login_setting_defines,
+	.defaults = &submission_login_default_settings,
+
+	.type_offset = SIZE_MAX,
+	.struct_size = sizeof(struct submission_login_settings),
+	.parent_offset = SIZE_MAX,
+
+	.check_func = submission_login_settings_check,
+	.dependencies = submission_login_setting_dependencies
+};
+
+const struct setting_parser_info *submission_login_setting_roots[] = {
+	&login_setting_parser_info,
+	&submission_login_setting_parser_info,
+	NULL
+};
+
+/* <settings checks> */
+struct submission_login_client_workaround_list {
+	const char *name;
+	enum submission_login_client_workarounds num;
+};
+
+/* These definitions need to be kept in sync with equivalent definitions present
+   in src/submission/submission-settings.c. Workarounds that are not relevant
+   to the submission-login service are defined as 0 here to prevent "Unknown
+   workaround" errors below. */
+static const struct submission_login_client_workaround_list
+submission_login_client_workaround_list[] = {
+	{ "whitespace-before-path", 0},
+	{ "mailbox-for-path", 0 },
+	{ "implicit-auth-external",
+	  SUBMISSION_LOGIN_WORKAROUND_IMPLICIT_AUTH_EXTERNAL },
+	{ "exotic-backend",
+	  SUBMISSION_LOGIN_WORKAROUND_EXOTIC_BACKEND },
+	{ NULL, 0 }
+};
+
+static int
+submission_login_settings_parse_workarounds(
+	struct submission_login_settings *set, const char **error_r)
+{
+	enum submission_login_client_workarounds client_workarounds = 0;
+        const struct submission_login_client_workaround_list *list;
+	const char *const *str;
+
+        str = t_strsplit_spaces(set->submission_client_workarounds, " ,");
+	for (; *str != NULL; str++) {
+		list = submission_login_client_workaround_list;
+		for (; list->name != NULL; list++) {
+			if (strcasecmp(*str, list->name) == 0) {
+				client_workarounds |= list->num;
+				break;
+			}
+		}
+		if (list->name == NULL) {
+			*error_r = t_strdup_printf(
+				"submission_client_workarounds: "
+				"Unknown workaround: %s", *str);
+			return -1;
+		}
+	}
+	set->parsed_workarounds = client_workarounds;
+	return 0;
+}
+
+static bool
+submission_login_settings_check(void *_set, pool_t pool ATTR_UNUSED,
+				const char **error_r)
+{
+	struct submission_login_settings *set = _set;
+
+	if (submission_login_settings_parse_workarounds(set, error_r) < 0)
+		return FALSE;
+
+#ifndef CONFIG_BINARY
+	if (*set->hostname == '\0')
+		set->hostname = p_strdup(pool, my_hostdomain());
+#endif
+	return TRUE;
+}
+/* </settings checks> */
diff --git a/src/submission-login/submission-login-settings.h b/src/submission-login/submission-login-settings.h
new file mode 100644
index 0000000..57334b4
--- /dev/null
+++ b/src/submission-login/submission-login-settings.h
@@ -0,0 +1,24 @@
+#ifndef SUBMISSION_LOGIN_SETTINGS_H
+#define SUBMISSION_LOGIN_SETTINGS_H
+
+/* <settings checks> */
+enum submission_login_client_workarounds {
+	SUBMISSION_LOGIN_WORKAROUND_IMPLICIT_AUTH_EXTERNAL	= BIT(0),
+	SUBMISSION_LOGIN_WORKAROUND_EXOTIC_BACKEND		= BIT(1),
+};
+/* </settings checks> */
+
+struct submission_login_settings {
+	const char *hostname;
+
+	/* submission: */
+	uoff_t submission_max_mail_size;
+	const char *submission_client_workarounds;
+	const char *submission_backend_capabilities;
+
+	enum submission_login_client_workarounds parsed_workarounds;
+};
+
+extern const struct setting_parser_info *submission_login_setting_roots[];
+
+#endif
diff --git a/src/submission-login/submission-proxy.c b/src/submission-login/submission-proxy.c
new file mode 100644
index 0000000..190617b
--- /dev/null
+++ b/src/submission-login/submission-proxy.c
@@ -0,0 +1,709 @@
+/* Copyright (c) 2017-2018 Dovecot authors, see the included COPYING file */
+
+#include "login-common.h"
+#include "ioloop.h"
+#include "istream.h"
+#include "ostream.h"
+#include "base64.h"
+#include "safe-memset.h"
+#include "str.h"
+#include "str-sanitize.h"
+#include "strescape.h"
+#include "dsasl-client.h"
+#include "client.h"
+#include "smtp-syntax.h"
+#include "submission-login-settings.h"
+#include "submission-proxy.h"
+
+#include <ctype.h>
+
+static const char *submission_proxy_state_names[SUBMISSION_PROXY_STATE_COUNT] = {
+	"banner", "ehlo", "starttls", "tls-ehlo", "xclient", "xclient-ehlo", "authenticate"
+};
+
+static void
+submission_proxy_success_reply_sent(
+	struct smtp_server_cmd_ctx *cmd ATTR_UNUSED,
+	struct submission_client *subm_client)
+{
+	client_proxy_finish_destroy_client(&subm_client->common);
+}
+
+static int
+proxy_send_starttls(struct submission_client *client, struct ostream *output)
+{
+	enum login_proxy_ssl_flags ssl_flags;
+
+	ssl_flags = login_proxy_get_ssl_flags(client->common.login_proxy);
+	if ((ssl_flags & PROXY_SSL_FLAG_STARTTLS) == 0)
+		return 0;
+
+	if ((client->proxy_capability & SMTP_CAPABILITY_STARTTLS) == 0) {
+		login_proxy_failed(
+			client->common.login_proxy,
+			login_proxy_get_event(client->common.login_proxy),
+			LOGIN_PROXY_FAILURE_TYPE_REMOTE_CONFIG,
+			"STARTTLS not supported");
+		return -1;
+	}
+	o_stream_nsend_str(output, "STARTTLS\r\n");
+	client->proxy_state = SUBMISSION_PROXY_STARTTLS;
+	return 1;
+}
+
+static buffer_t *
+proxy_compose_xclient_forward(struct submission_client *client)
+{
+	const char *const *arg;
+	string_t *str;
+
+	if (*client->common.auth_passdb_args == NULL)
+		return NULL;
+
+	str = t_str_new(128);
+	for (arg = client->common.auth_passdb_args; *arg != NULL; arg++) {
+		if (strncasecmp(*arg, "forward_", 8) == 0) {
+			if (str_len(str) > 0)
+				str_append_c(str, '\t');
+			str_append_tabescaped(str, (*arg)+8);
+		}
+	}
+	if (str_len(str) == 0)
+		return NULL;
+
+	return t_base64_encode(0, 0, str_data(str), str_len(str));
+}
+
+static void
+proxy_send_xclient_more_data(struct submission_client *client,
+			     struct ostream *output, string_t *buf,
+			     const char *field, const unsigned char *value,
+			     size_t value_size)
+{
+	const size_t cmd_len = strlen("XCLIENT");
+	size_t prev_len = str_len(buf);
+
+	str_append_c(buf, ' ');
+	str_append(buf, field);
+	str_append_c(buf, '=');
+	smtp_xtext_encode(buf, value, value_size);
+
+	if (str_len(buf) > 512) {
+		if (prev_len <= cmd_len)
+			prev_len = str_len(buf);
+		o_stream_nsend(output, str_data(buf), prev_len);
+		o_stream_nsend(output, "\r\n", 2);
+		client->proxy_xclient_replies_expected++;
+		str_delete(buf, cmd_len, prev_len - cmd_len);
+	}
+}
+
+static void
+proxy_send_xclient_more(struct submission_client *client,
+			struct ostream *output, string_t *buf,
+			const char *field, const char *value)
+{
+	proxy_send_xclient_more_data(client, output, buf, field,
+				     (const unsigned char *)value,
+				     strlen(value));
+}
+
+static int
+proxy_send_xclient(struct submission_client *client, struct ostream *output)
+{
+	string_t *str;
+
+	if ((client->proxy_capability & SMTP_CAPABILITY_XCLIENT) == 0 ||
+	    client->common.proxy_not_trusted)
+		return 0;
+
+	struct smtp_proxy_data proxy_data;
+
+	smtp_server_connection_get_proxy_data(client->conn, &proxy_data);
+	i_assert(client->common.proxy_ttl > 1);
+
+	/* remote supports XCLIENT, send it */
+	client->proxy_xclient_replies_expected = 0;
+	str = t_str_new(128);
+	str_append(str, "XCLIENT");
+	if (str_array_icase_find(client->proxy_xclient, "HELO")) {
+		if (proxy_data.helo != NULL) {
+			proxy_send_xclient_more(client, output, str, "HELO",
+						proxy_data.helo);
+		} else {
+			proxy_send_xclient_more(client, output, str, "HELO",
+						"[UNAVAILABLE]");
+		}
+	}
+	if (str_array_icase_find(client->proxy_xclient, "PROTO")) {
+		const char *proto = "[UNAVAILABLE]";
+
+		switch (proxy_data.proto) {
+		case SMTP_PROXY_PROTOCOL_UNKNOWN:
+			break;
+		case SMTP_PROXY_PROTOCOL_SMTP:
+			proto = "SMTP";
+			break;
+		case SMTP_PROXY_PROTOCOL_ESMTP:
+			proto = "ESMTP";
+			break;
+		case SMTP_PROXY_PROTOCOL_LMTP:
+			proto = "LMTP";
+			break;
+		}
+		proxy_send_xclient_more(client, output, str, "PROTO", proto);
+	}
+	if (client->common.proxy_noauth &&
+	    str_array_icase_find(client->proxy_xclient, "LOGIN")) {
+		if (proxy_data.login != NULL) {
+			proxy_send_xclient_more(client, output, str, "LOGIN",
+						proxy_data.login);
+		} else if (client->common.virtual_user != NULL) {
+			proxy_send_xclient_more(client, output, str, "LOGIN",
+						client->common.virtual_user);
+		} else {
+			proxy_send_xclient_more(client, output, str, "LOGIN",
+						"[UNAVAILABLE]");
+		}
+	}
+	if (str_array_icase_find(client->proxy_xclient, "TTL")) {
+		proxy_send_xclient_more(
+			client, output, str, "TTL",
+			t_strdup_printf("%u",client->common.proxy_ttl - 1));
+	}
+	if (str_array_icase_find(client->proxy_xclient, "PORT")) {
+		proxy_send_xclient_more(
+			client, output, str, "PORT",
+			t_strdup_printf("%u", client->common.remote_port));
+	}
+	if (str_array_icase_find(client->proxy_xclient, "ADDR")) {
+		proxy_send_xclient_more(client, output, str, "ADDR",
+					net_ip2addr(&client->common.ip));
+	}
+	if (str_array_icase_find(client->proxy_xclient, "SESSION")) {
+		proxy_send_xclient_more(client, output, str, "SESSION",
+					client_get_session_id(&client->common));
+	}
+	if (str_array_icase_find(client->proxy_xclient, "FORWARD")) {
+		buffer_t *fwd = proxy_compose_xclient_forward(client);
+
+		if (fwd != NULL) {
+			proxy_send_xclient_more_data(
+				client, output, str, "FORWARD",
+				fwd->data, fwd->used);
+		}
+	}
+	str_append(str, "\r\n");
+	o_stream_nsend(output, str_data(str), str_len(str));
+	client->proxy_state = SUBMISSION_PROXY_XCLIENT;
+	client->proxy_xclient_replies_expected++;
+	return 1;
+}
+
+static int
+proxy_send_login(struct submission_client *client, struct ostream *output)
+{
+	struct dsasl_client_settings sasl_set;
+	const unsigned char *sasl_output;
+	size_t sasl_output_len;
+	const char *mech_name, *error;
+	string_t *str;
+
+	if ((client->proxy_capability & SMTP_CAPABILITY_AUTH) == 0) {
+		/* Prevent sending credentials to a server that has login
+		   disabled; i.e., due to the lack of TLS */
+		login_proxy_failed(client->common.login_proxy,
+			login_proxy_get_event(client->common.login_proxy),
+			LOGIN_PROXY_FAILURE_TYPE_REMOTE_CONFIG,
+			"Authentication support not advertised (TLS required?)");
+		return -1;
+	}
+
+	str = t_str_new(128);
+
+	if (client->common.proxy_mech == NULL)
+		client->common.proxy_mech = &dsasl_client_mech_plain;
+
+	i_assert(client->common.proxy_sasl_client == NULL);
+	i_zero(&sasl_set);
+	sasl_set.authid = client->common.proxy_master_user != NULL ?
+		client->common.proxy_master_user : client->common.proxy_user;
+	sasl_set.authzid = client->common.proxy_user;
+	sasl_set.password = client->common.proxy_password;
+	client->common.proxy_sasl_client =
+		dsasl_client_new(client->common.proxy_mech, &sasl_set);
+	mech_name = dsasl_client_mech_get_name(client->common.proxy_mech);
+
+	str_printfa(str, "AUTH %s", mech_name);
+	if (dsasl_client_output(client->common.proxy_sasl_client,
+				&sasl_output, &sasl_output_len, &error) < 0) {
+		const char *reason = t_strdup_printf(
+			"SASL mechanism %s init failed: %s",
+			mech_name, error);
+		login_proxy_failed(client->common.login_proxy,
+			login_proxy_get_event(client->common.login_proxy),
+			LOGIN_PROXY_FAILURE_TYPE_INTERNAL, reason);
+		return -1;
+	}
+
+	string_t *sasl_output_base64 = t_str_new(
+		MAX_BASE64_ENCODED_SIZE(sasl_output_len));
+	base64_encode(sasl_output, sasl_output_len, sasl_output_base64);
+
+	/* RFC 4954, Section 4:
+
+	   Note that the AUTH command is still subject to the line length
+	   limitations defined in [SMTP]. If use of the initial response
+	   argument would cause the AUTH command to exceed this length, the
+	   client MUST NOT use the initial response parameter (and instead
+	   proceed as defined in Section 5.1 of [SASL]).
+
+	   If the client is transmitting an initial response of zero length, it
+	   MUST instead transmit the response as a single equals sign ("=").
+	   This indicates that the response is present, but contains no data.
+	 */
+
+	i_assert(client->proxy_sasl_ir == NULL);
+	if (str_len(sasl_output_base64) == 0)
+		str_append(str, " =");
+	else if ((5 + strlen(mech_name) + 1 + str_len(sasl_output_base64)) >
+		 SMTP_BASE_LINE_LENGTH_LIMIT)
+		client->proxy_sasl_ir = i_strdup(str_c(sasl_output_base64));
+	else {
+		str_append_c(str, ' ');
+		str_append_str(str, sasl_output_base64);
+	}
+
+	str_append(str, "\r\n");
+	o_stream_nsend(output, str_data(str), str_len(str));
+
+	client->proxy_state = SUBMISSION_PROXY_AUTHENTICATE;
+	return 0;
+}
+
+static int
+proxy_handle_ehlo_reply(struct submission_client *client,
+			struct ostream *output)
+{
+	struct smtp_server_cmd_ctx *cmd = client->pending_auth;
+	int ret;
+
+	switch (client->proxy_state) {
+	case SUBMISSION_PROXY_EHLO:
+		ret = proxy_send_starttls(client, output);
+		if (ret < 0)
+			return -1;
+		if (ret != 0)
+			return 0;
+		/* Fall through */
+	case SUBMISSION_PROXY_TLS_EHLO:
+		ret = proxy_send_xclient(client, output);
+		if (ret < 0)
+			return -1;
+		if (ret != 0) {
+			client->proxy_capability = 0;
+			i_free_and_null(client->proxy_xclient);
+			o_stream_nsend_str(output, t_strdup_printf(
+					   "EHLO %s\r\n",
+					   client->set->hostname));
+			return 0;
+		}
+		break;
+	case SUBMISSION_PROXY_XCLIENT_EHLO:
+		break;
+	default:
+		i_unreached();
+	}
+
+	if (client->common.proxy_noauth) {
+		smtp_server_connection_input_lock(cmd->conn);
+
+		smtp_server_command_add_hook(
+			cmd->cmd, SMTP_SERVER_COMMAND_HOOK_DESTROY,
+			submission_proxy_success_reply_sent, client);
+		client->pending_auth = NULL;
+
+		smtp_server_reply(cmd, 235, "2.7.0", "Logged in.");
+		return 1;
+	}
+
+	return proxy_send_login(client, output);
+}
+
+static int
+submission_proxy_continue_sasl_auth(struct client *client,
+				    struct ostream *output, const char *line,
+				    bool last_line)
+{
+	struct submission_client *subm_client =
+		container_of(client, struct submission_client, common);
+	string_t *str;
+	const unsigned char *data;
+	size_t data_len;
+	const char *error;
+	int ret;
+
+	if (!last_line) {
+		const char *reason = t_strdup_printf(
+			"Server returned multi-line challenge: 334 %s",
+			str_sanitize(line, 1024));
+		login_proxy_failed(client->login_proxy,
+			login_proxy_get_event(client->login_proxy),
+			LOGIN_PROXY_FAILURE_TYPE_PROTOCOL, reason);
+		return -1;
+	}
+	if (subm_client->proxy_sasl_ir != NULL) {
+		if (*line == '\0') {
+			/* Send initial response */
+			o_stream_nsend(output, subm_client->proxy_sasl_ir,
+				       strlen(subm_client->proxy_sasl_ir));
+			o_stream_nsend_str(output, "\r\n");
+			i_free(subm_client->proxy_sasl_ir);
+			return 0;
+		}
+		const char *reason = t_strdup_printf(
+			"Server sent unexpected server-first challenge: "
+			"334 %s", str_sanitize(line, 1024));
+		login_proxy_failed(client->login_proxy,
+			login_proxy_get_event(client->login_proxy),
+			LOGIN_PROXY_FAILURE_TYPE_PROTOCOL, reason);
+		return -1;
+	}
+
+	str = t_str_new(128);
+	if (base64_decode(line, strlen(line), NULL, str) < 0) {
+		login_proxy_failed(client->login_proxy,
+			login_proxy_get_event(client->login_proxy),
+			LOGIN_PROXY_FAILURE_TYPE_PROTOCOL,
+			"Invalid base64 data in AUTH response");
+		return -1;
+	}
+	ret = dsasl_client_input(client->proxy_sasl_client,
+				 str_data(str), str_len(str), &error);
+	if (ret == 0) {
+		ret = dsasl_client_output(client->proxy_sasl_client,
+					  &data, &data_len, &error);
+	}
+	if (ret < 0) {
+		const char *reason = t_strdup_printf(
+			"Invalid authentication data: %s", error);
+		login_proxy_failed(client->login_proxy,
+			login_proxy_get_event(client->login_proxy),
+			LOGIN_PROXY_FAILURE_TYPE_PROTOCOL, reason);
+		return -1;
+	}
+	i_assert(ret == 0);
+
+	str_truncate(str, 0);
+	base64_encode(data, data_len, str);
+	str_append(str, "\r\n");
+
+	o_stream_nsend(output, str_data(str), str_len(str));
+	return 0;
+}
+
+static const char *
+strip_enhanced_code(const char *text, const char **enh_code_r)
+{
+	const char *p = text;
+	unsigned int digits;
+
+	*enh_code_r = NULL;
+
+	if (*p != '2' && *p != '4' && *p != '5')
+		return text;
+	p++;
+	if (*p != '.')
+		return text;
+	p++;
+
+	digits = 0;
+	while (i_isdigit(*p) && digits < 3) {
+		p++;
+		digits++;
+	}
+	if (*p != '.')
+		return text;
+	p++;
+
+	digits = 0;
+	while (i_isdigit(*p) && digits < 3) {
+		p++;
+		digits++;
+	}
+	if (*p != ' ')
+		return text;
+	*enh_code_r = t_strdup_until(text, p);
+	p++;
+	return p;
+}
+
+int submission_proxy_parse_line(struct client *client, const char *line)
+{
+	struct submission_client *subm_client =
+		container_of(client, struct submission_client, common);
+	struct smtp_server_cmd_ctx *cmd = subm_client->pending_auth;
+	struct smtp_server_command *command = cmd->cmd;
+	struct ostream *output;
+	bool last_line = FALSE, invalid_line = FALSE;
+	const char *text = NULL, *enh_code = NULL;
+	unsigned int status = 0;
+
+	i_assert(!client->destroyed);
+	i_assert(cmd != NULL);
+
+	if ((line[3] != ' ' && line[3] != '-') ||
+	    str_parse_uint(line, &status, &text) < 0 ||
+	    status < 200 || status >= 560) {
+		invalid_line = TRUE;
+	} else {
+		text++;
+
+		if ((subm_client->proxy_capability &
+		    SMTP_CAPABILITY_ENHANCEDSTATUSCODES) != 0)
+			text = strip_enhanced_code(text, &enh_code);
+	}
+	if (subm_client->proxy_reply_status != 0 &&
+	    subm_client->proxy_reply_status != status) {
+		const char *reason = t_strdup_printf(
+			"Inconsistent SMTP reply: %s (status != %u)",
+			str_sanitize(line, 160),
+			subm_client->proxy_reply_status);
+		login_proxy_failed(client->login_proxy,
+				   login_proxy_get_event(client->login_proxy),
+				   LOGIN_PROXY_FAILURE_TYPE_PROTOCOL, reason);
+		return -1;
+	}
+	if (line[3] == ' ') {
+		last_line = TRUE;
+		subm_client->proxy_reply_status = 0;
+	} else {
+		subm_client->proxy_reply_status = status;
+	}
+
+	output = login_proxy_get_ostream(client->login_proxy);
+	switch (subm_client->proxy_state) {
+	case SUBMISSION_PROXY_BANNER:
+		/* this is a banner */
+		if (invalid_line || status != 220) {
+			const char *reason = t_strdup_printf(
+				"Invalid banner: %s", str_sanitize(line, 160));
+			login_proxy_failed(client->login_proxy,
+				login_proxy_get_event(client->login_proxy),
+				LOGIN_PROXY_FAILURE_TYPE_PROTOCOL, reason);
+			return -1;
+		}
+		if (!last_line)
+			return 0;
+
+		subm_client->proxy_state = SUBMISSION_PROXY_EHLO;
+		o_stream_nsend_str(output, t_strdup_printf("EHLO %s\r\n",
+			subm_client->set->hostname));
+		return 0;
+	case SUBMISSION_PROXY_EHLO:
+	case SUBMISSION_PROXY_TLS_EHLO:
+	case SUBMISSION_PROXY_XCLIENT_EHLO:
+		if (invalid_line || (status / 100) != 2) {
+			const char *reason = t_strdup_printf(
+				"Invalid EHLO line: %s",
+				str_sanitize(line, 160));
+			login_proxy_failed(client->login_proxy,
+				login_proxy_get_event(client->login_proxy),
+				LOGIN_PROXY_FAILURE_TYPE_PROTOCOL, reason);
+			return -1;
+		}
+
+		if (strncasecmp(text, "XCLIENT ", 8) == 0) {
+			subm_client->proxy_capability |=
+				SMTP_CAPABILITY_XCLIENT;
+			i_free_and_null(subm_client->proxy_xclient);
+			subm_client->proxy_xclient = p_strarray_dup(
+				default_pool, t_strsplit_spaces(text + 8, " "));
+		} else if (strncasecmp(text, "STARTTLS", 9) == 0) {
+			subm_client->proxy_capability |=
+				SMTP_CAPABILITY_STARTTLS;
+		} else if (strncasecmp(text, "AUTH", 4) == 0 &&
+			text[4] == ' ' && text[5] != '\0') {
+			subm_client->proxy_capability |=
+				SMTP_CAPABILITY_AUTH;
+		} else if (strcasecmp(text, "ENHANCEDSTATUSCODES") == 0) {
+			subm_client->proxy_capability |=
+				SMTP_CAPABILITY_ENHANCEDSTATUSCODES;
+		}
+		if (!last_line)
+			return 0;
+
+		return proxy_handle_ehlo_reply(subm_client, output);
+	case SUBMISSION_PROXY_STARTTLS:
+		if (invalid_line || status != 220) {
+			const char *reason = t_strdup_printf(
+				"STARTTLS failed: %s",
+				str_sanitize(line, 160));
+			login_proxy_failed(client->login_proxy,
+				login_proxy_get_event(client->login_proxy),
+				LOGIN_PROXY_FAILURE_TYPE_REMOTE, reason);
+			return -1;
+		}
+		if (!last_line)
+			return 0;
+		if (login_proxy_starttls(client->login_proxy) < 0)
+			return -1;
+		/* i/ostreams changed. */
+		output = login_proxy_get_ostream(client->login_proxy);
+
+		subm_client->proxy_capability = 0;
+		i_free_and_null(subm_client->proxy_xclient);
+		subm_client->proxy_state = SUBMISSION_PROXY_TLS_EHLO;
+		o_stream_nsend_str(output, t_strdup_printf(
+			"EHLO %s\r\n", subm_client->set->hostname));
+		return 0;
+	case SUBMISSION_PROXY_XCLIENT:
+		if (invalid_line || (status / 100) != 2) {
+			const char *reason = t_strdup_printf(
+				"XCLIENT failed: %s", str_sanitize(line, 160));
+			login_proxy_failed(client->login_proxy,
+				login_proxy_get_event(client->login_proxy),
+				LOGIN_PROXY_FAILURE_TYPE_REMOTE, reason);
+			return -1;
+		}
+		if (!last_line)
+			return 0;
+		i_assert(subm_client->proxy_xclient_replies_expected > 0);
+		if (--subm_client->proxy_xclient_replies_expected > 0)
+			return 0;
+		subm_client->proxy_state = SUBMISSION_PROXY_XCLIENT_EHLO;
+		return 0;
+	case SUBMISSION_PROXY_AUTHENTICATE:
+		if (invalid_line)
+			break;
+		if (status == 334 && client->proxy_sasl_client != NULL) {
+			/* continue SASL authentication */
+			if (submission_proxy_continue_sasl_auth(
+				client, output, text, last_line) < 0)
+				return -1;
+			return 0;
+		}
+
+		i_assert(subm_client->proxy_reply == NULL);
+		subm_client->proxy_reply = smtp_server_reply_create(
+			command, status, enh_code);
+		smtp_server_reply_add_text(subm_client->proxy_reply, text);
+
+		if (!last_line)
+			return 0;
+		if ((status / 100) != 2)
+			break;
+
+		smtp_server_connection_input_lock(cmd->conn);
+
+		smtp_server_command_add_hook(
+			command, SMTP_SERVER_COMMAND_HOOK_DESTROY,
+			submission_proxy_success_reply_sent, subm_client);
+
+		subm_client->pending_auth = NULL;
+
+		/* Login successful. Send this reply to client. */
+		smtp_server_reply_submit(subm_client->proxy_reply);
+
+		return 1;
+	case SUBMISSION_PROXY_STATE_COUNT:
+		i_unreached();
+	}
+
+	/* Login failed. Pass through the error message to client.
+
+	   If the backend server isn't Dovecot, the error message may
+	   be different from Dovecot's "user doesn't exist" error. This
+	   would allow an attacker to find out what users exist in the
+	   system.
+
+	   The optimal way to handle this would be to replace the
+	   backend's "password failed" error message with Dovecot's
+	   AUTH_FAILED_MSG, but this would require a new setting and
+	   the sysadmin to actually bother setting it properly.
+
+	   So for now we'll just forward the error message. This
+	   shouldn't be a real problem since of course everyone will
+	   be using only Dovecot as their backend :) */
+	enum login_proxy_failure_type failure_type =
+		LOGIN_PROXY_FAILURE_TYPE_AUTH;
+	if ((status / 100) == 4)
+		failure_type = LOGIN_PROXY_FAILURE_TYPE_AUTH_TEMPFAIL;
+	else {
+		i_assert((status / 100) != 2);
+		i_assert(subm_client->proxy_reply != NULL);
+		smtp_server_reply_submit(subm_client->proxy_reply);
+		subm_client->pending_auth = NULL;
+	}
+
+	login_proxy_failed(client->login_proxy,
+			   login_proxy_get_event(client->login_proxy),
+			   failure_type, text);
+	return -1;
+}
+
+void submission_proxy_reset(struct client *client)
+{
+	struct submission_client *subm_client =
+		container_of(client, struct submission_client, common);
+
+	subm_client->proxy_state = SUBMISSION_PROXY_BANNER;
+	subm_client->proxy_capability = 0;
+	i_free_and_null(subm_client->proxy_xclient);
+	i_free(subm_client->proxy_sasl_ir);
+	subm_client->proxy_reply_status = 0;
+	subm_client->proxy_reply = NULL;
+}
+
+static void
+submission_proxy_send_failure_reply(struct submission_client *subm_client,
+				    enum login_proxy_failure_type type,
+				    const char *reason ATTR_UNUSED)
+{
+	struct smtp_server_cmd_ctx *cmd = subm_client->pending_auth;
+
+	switch (type) {
+	case LOGIN_PROXY_FAILURE_TYPE_CONNECT:
+	case LOGIN_PROXY_FAILURE_TYPE_INTERNAL:
+	case LOGIN_PROXY_FAILURE_TYPE_INTERNAL_CONFIG:
+	case LOGIN_PROXY_FAILURE_TYPE_REMOTE:
+	case LOGIN_PROXY_FAILURE_TYPE_REMOTE_CONFIG:
+	case LOGIN_PROXY_FAILURE_TYPE_PROTOCOL:
+		i_assert(cmd != NULL);
+		subm_client->pending_auth = NULL;
+		smtp_server_reply(cmd, 454, "4.7.0", LOGIN_PROXY_FAILURE_MSG);
+		break;
+	case LOGIN_PROXY_FAILURE_TYPE_AUTH_TEMPFAIL:
+		i_assert(cmd != NULL);
+		subm_client->pending_auth = NULL;
+
+		i_assert(subm_client->proxy_reply != NULL);
+		smtp_server_reply_submit(subm_client->proxy_reply);
+		break;
+	case LOGIN_PROXY_FAILURE_TYPE_AUTH:
+		/* reply was already sent */
+		i_assert(cmd == NULL);
+		break;
+	}
+}
+
+void submission_proxy_failed(struct client *client,
+			     enum login_proxy_failure_type type,
+			     const char *reason, bool reconnecting)
+{
+	struct submission_client *subm_client =
+		container_of(client, struct submission_client, common);
+
+	if (!reconnecting)
+		submission_proxy_send_failure_reply(subm_client, type, reason);
+	client_common_proxy_failed(client, type, reason, reconnecting);
+}
+
+const char *submission_proxy_get_state(struct client *client)
+{
+	struct submission_client *subm_client =
+		container_of(client, struct submission_client, common);
+
+	i_assert(subm_client->proxy_state < SUBMISSION_PROXY_STATE_COUNT);
+	return submission_proxy_state_names[subm_client->proxy_state];
+}
diff --git a/src/submission-login/submission-proxy.h b/src/submission-login/submission-proxy.h
new file mode 100644
index 0000000..19342cf
--- /dev/null
+++ b/src/submission-login/submission-proxy.h
@@ -0,0 +1,12 @@
+#ifndef SUBMISSION_PROXY_H
+#define SUBMISSION_PROXY_H
+
+void submission_proxy_reset(struct client *client);
+int submission_proxy_parse_line(struct client *client, const char *line);
+
+void submission_proxy_failed(struct client *client,
+			     enum login_proxy_failure_type type,
+			     const char *reason, bool reconnecting);
+const char *submission_proxy_get_state(struct client *client);
+
+#endif