Unfortunately, the requirement for this network is that the only pinhole through the firewall between the main relay and the mail server is IMAP. My thought was to ship a list of valid usernames to the imap relay that are allowed to connect, and that list would be constructed from inside the LAN and shipped to the DMZ via rsync.
I could set the default value of allow_nets and override it, but I am unsure how best to do that in my situation. Maybe if I use a passwd-file on the userdb, but keep the imap driver on the passdb? aF On 05/05/2014, at 4:24 PM, Jiri Bourek <bou...@thinline.cz> wrote: > Is it possible to use backend's passdb on the relay server in your setup? > > If you are - for example - using SQL database as passdb on the backend, you > can access it from relay server as well. Let's say you have "relay_enabled" > column in the table of users, then you can use something like: > > select ... from users where user = ... and relay_enabled = true > > Users, who are not permitted access from internet, will get authentication > failure > > If your passdb can't be shared this way (unix accounts, passwd-file etc.), > this won't work of course. Maybe you can try to play around allow_nets > (http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets), possibly > combined with login_trusted_networks on backend > > The idea here is that your relay provides user's real IP and you use > allow_nets extra field to restrict access to your internal network only. Not > sure if this can work though, never tried. > > > Alex Ferrara wrote: >> Hi everyone, >> >> I have a problem that hopefully has an easy solution. >> >> I am setting up an IMAP proxy in a DMZ network. It will connect to >> the real IMAP server and authenticate using "driver = imap", and this >> I have working really nicely. >> >> What I want to do is have it look up a list of users that are allowed >> to connect through the proxy before proxying the connection, as not >> all users with an account are permitted to access their email from >> the internet. I thought that using a post-login script would get me >> out of trouble, but it isn't possible in a relay configuration. >> >> >> >> dovecot.conf >> >> ## Dovecot configuration file >> >> mail_uid = dovecot mail_gid = dovecot >> >> protocols = imap >> >> listen = *, :: >> >> passdb { driver = imap # IMAP server to authenticate against args = >> host=192.168.1.1 # IMAP server to connect to for mailbox >> default_fields = proxy=yes host=192.168.1.1 } userdb { driver = >> prefetch } >> >> auth_mechanisms = plain login >> >> # This is the auth service used by Postfix to do dovecot auth. >> service auth { unix_listener auth-userdb { } inet_listener { port = >> 12345 } } >> >> ## ## SSL settings ## >> >> # These will need to ba adjusted to point to *your* certificates, not >> mine 8-) # The ssl_ca line refers to the intermediate certificate >> bundle which may or may not be required by your SSL provider >> >> ssl_cert =</etc/ssl/certs/mail.domain.com.au.pem ssl_key >> =</etc/ssl/private/mail.domain.com.au.key #ssl_ca >> =</etc/pki/tls/certs/ca.crt ssl_cipher_list = >> ALL:!LOW:!SSLv2:!EXP:!aNULL
