Hello Sami, Thanks for the info. I have the following implemented and working.
I am only using the Director nodes to map users to the same backend server. I perform all auth and message deliver/retrieval on the backend servers. Director Nodes: auth_master_user_separator = * passdb { driver = passwd-file args = /etc/dovecot/conf.d/lasso-master-user-password master = yes pass = yes } passdb { driver = static args = proxy=y nopassword=y password=doesnotmatter } Backend Nodes: auth_master_user_separator = * passdb { driver = passwd-file args = /etc/dovecot/conf.d/master-user-password master = yes pass = yes } passdb { driver = sql args = /etc/dovecot/conf.d/sql.conf.ext } userdb { driver = sql args = /etc/dovecot/conf.d/sql.conf.ext } userdb { driver=prefetch } I have read the docs that state configuring Director in this way can expose the service to issues if large amounts of unknown user requests are sent to the Director nodes. I can manage this risk by ensuring proper rate limiting is in place in the load balancers in front of Director nodes. I would love to hear your thoughts on the configuration. Thank in advance. On Feb 16 2018, at 3:02 am, Sami Ketola <sami.ket...@dovecot.fi> wrote: > > > > >> On 15 Feb 2018, at 22.16, Travis Dolan <[travis.do...@gmail.com](mailto:travis.do...@gmail.com)> wrote: >> >> >> >> It would look as though the changes have now negatively affected a "normal" user from logging in. >> >> >> >> telnet host 143 >> >> a login username password >> >> >> >> a NO [AUTHENTICATIONFAILED] Authentication failed. >> >> >> >> telnet host 143 >> >> 1 login [devteam*masteru...@example.com](mailto:devteam*masteru...@example.com) password >> >> >> >> 1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST- EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE QUOTA] Logged in >> >> >> >> What do you think? > > > > So your director is the first entry point where the end users connect? > > > > in that case your director should have passdb setup that verifies the user password and then > > switches the session to use master password when forwarding the connection to backend. > > > > something like this in director: > > > > passdb { > > driver = passwd-file > > args = /data/mail.passwd > > result_success = continue-ok > > } > > > > passdb { > > driver = static > > args = pass=masterpassword > > skip = unauthenticated > > } > > > > > > and in backend: > > > > passdb { > > driver = static > > args = password=masterpassword > > } > > > > Sami > > > >