No way for stunnel to localhost!
TLS is required to protect the clear text password exchange from the client to the server side.
If both sides are bound to 127.0.0.1 tls is not required anymore.
Slapd can be configured for both cases. I’d expect Postfix allows the same.
One possible solution could be defining a dedicated smtpd instance listening on 127.0.0.1:587 (or another local ip?) with a specific option that allows clear text password exchange.
you stated this 
we could think for this later, I would like to start a P.O.C with a table with user account (address email with also pseudonym). We could have workable remote smtp, webtop5 and roundcubemail
What do you think ?
Ok let’s see a working prototype configuration for roundcube and postfix
Sorry it took a while, this is not my territory of expertise.
found this which en-lighted me:
I tend to agree with this, although i see the problem it’s hard to implement without breaking clients by closing one of the default smtp-ports (ie 25, 465, 587) with the firewall.
What about an extra custom port for postfix (ie 4465 ??) with localhost access restriction for PLAIN text login / auth ?
yes it is probably the only good solution, get another smtp service running on localhost with authentication but without TLS
I am not too much concerned now, this will be optional so we have time to think for it after
I not sure if another smtpd is a needed; just an extra listing port. Set the global setting to may (smtpd_tls_security_level=may) but enforce it on the default ports. restrict acces to the customport to 127.0.0.0/8 but do not enforce tls.
Pseudo config:
25 inet n - - - - smtpd
-o smtpd_tls_security_level=yes
-o smtpd_sasl_auth_enable=yes
4465 inet n - - - - smtpd
-o mynetworks=127.0.0.0/8
-o smtpd_tls_security_level=may
second PR, we are coming
I installed the PR RPM and I come with some questions
what is the expected behavior of a shared mailbox? If I can read (and modify?) a shared mailbox content, should I be allowed to send a message with its email address? For instance
user: first.user, member of grp1
shared mailbox: shmbx1, shared with grp1, email alias shared1@aliasdom.example.com
what is the expected behavior of an alias address with multiple recipients? Should be the recipients allowed to send a message with the alias? For instance
given email alias address sales@example.com expanded to first.user@example.com, second.user@example.com,
can second.user set sales@example.com as message sender?
# fully qualified aliases (address@domain)
master@dpnet.nethesis.it admin,admin@dpnet.nethesis.it,
shared2@dpnet.nethesis.it vmail+shmbx2,vmail+shmbx2,
# generic aliases expansion (address@)
chief@aliasdom.example.com admin,admin@dpnet.nethesis.it,
chief@dpnet.nethesis.it admin,admin@dpnet.nethesis.it,
external@aliasdom.example.com user.external,user.external@nethesis.it,
external@dpnet.nethesis.it user.external,user.external@nethesis.it,
info@aliasdom.example.com vmail+shmbx2,vmail+shmbx2,
info@dpnet.nethesis.it vmail+shmbx2,vmail+shmbx2,
postmaster@aliasdom.example.com root,root,
postmaster@dpnet.nethesis.it root,root,
shared1@aliasdom.example.com vmail+shmbx1,vmail+shmbx1,
shared1@dpnet.nethesis.it vmail+shmbx1,vmail+shmbx1,
@stephdl, my proposal for the implementation is
Account= values with a @domain suffix matching the machine domain. Other entries seem redundant (so question 2: yes)@domain suffix (as from your PR)Actually this is what I did
alias of an email :
steph@domain.com (first email) can send with steph@domain.org if we set this email as its alias, or any domain of the server if the alias exists for each domain.
alias for group of people
lets set group@domain.com (or group@) of three users, user1 user2 user3 for one domain or each domain of the server. Each member of this group can send with its email and the identity group@domain.com, group@domain.org (if domain.org exists on the server).
Obviously when the sender identity is enabled, you cannot anymore use an identity which is not relevant of /etc/postfix/login_maps and /etc/postfix/login_maps.pcre
For the sharedmailbox, I thought first that it is to receive email, and I did nothing, I probably missed to make a logic to exclude them of /etc/postfix/login_maps, even if it should not hurt.
To @all, do you see some missing feature for you, @saitobenkei what do you need more ?
On testing 
my PR is accepted 