Hello list,
I am currently testing a setup for a PoC wit this configuration.
- 1 x Frontend dovecot for proxying IMAP/POP3/LMTP/ManageSieve/Submission
- 2 x Backend dovecot with local mail storage
The frontend does the user authentification and communicate with the backends
using a master password
The fronted accepts PLAIN and LOGIN auth mechanisms and talk with backends
using PLAIN auth mechanism (with the master password).
This works very well, it's cool.
Then, I've added to this setup an existing mail server (running another
mailserver software) as a 3rd backend, and would like the frontend to also
proxy for this, but this time not using master password.
This is working for IMAP/POP3 when it uses PLAIN auth, but not for Submission.
The backend server in this case only accepts LOGIN auth and not PLAIN on port
587.
So I found out there is a field in the passdb we can add (proxy_mech), and I've
set it to LOGIN.
The frontend seems to now use LOGIN auth mech to talk to this 3rd backend, but
the authentication still fails.
According to the backend logs, tt seems dovecot proxy is now using LOGIN auth,
but sends garbage as username and/or password.
Also IMAP that was working when using PLAIN doesn't work anymore with LOGIN.
Might this be a bug or this setup shouldn't be supported at all ?
Passdb MySQL table on frontend:
mysql> describe users;
+-------------+--------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------------+--------------+------+-----+---------+-------+
| user | varchar(255) | NO | PRI | NULL | |
| domain | varchar(255) | NO | PRI | NULL | |
| password | varchar(255) | YES | | NULL | |
| displayname | varchar(255) | YES | | NULL | |
| host | varchar(16) | NO | | NULL | |
| usemaster | tinyint(1) | NO | | 1 | |
| proxy_mech | varchar(20) | YES | | NULL | |
| starttls | varchar(20) | YES | | NULL | |
+-------------+--------------+------+-----+---------+-------+
mailstore-01/02 are dovecot backends
otherhost is the other mailserver I also would like to proxy through dovecot
proxy
+---------+-----------------+-----------------------------------------+----------------+--------------+-----------+------------+----------+
| user | domain | password |
displayname | host | usemaster | proxy_mech | starttls |
+---------+-----------------+-----------------------------------------+----------------+--------------+-----------+------------+----------+
| user1 | somedomain.com | {SHA512-CRYPT}<some_crypted_pass> | Joe
Black | mailstore-01 | 1 | NULL | NULL |
| user2 | otherdomain.com | {SHA512-CRYPT}<some_crypted_pass> | Mr.
Smith | mailstore-02 | 1 | NULL | NULL |
| user3 | area13.com | NULL | Donald
Duck | otherhost | 0 | LOGIN | any-cert |
| user4 | area13.com | NULL | Thanks
Obama | otherhost | 0 | LOGIN | any-cert |
+---------+-----------------+-----------------------------------------+----------------+--------------+-----------+------------+----------+
Passdb query :
password_query = \
SELECT concat(user, '@', domain) AS user, password, host, 'Y' AS proxy, \
IF(usemaster is TRUE, 'supermasteruserl', NULL) as master, \
IF(usemaster is TRUE, 'supermasterpassword', pass) as pass, \
IF(usemaster is FALSE, 'Y', NULL) as nopassword, \
proxy_mech, \
starttls \
FROM users WHERE user = '%n' AND domain = '%d'
Some questions I'm asking myself:
Is proxying using LOGIN proxy_mech supported at all to auth on backends ?
Is dovecot proxying to "otherhost" supposed to decode original client auth
(using PLAIN) and translate it to LOGIN format to auth with "otherhost" ?
# otherhost port 587 log
Without specifying proxy_mech
[2019.09.19] 09:27:22.167 [192.168.60.220][3070269] cmd: EHLO
dovecotproxy.local.domain
[2019.09.19] 09:27:22.167 [192.168.60.220][3070269] rsp:
250-dovecotproxy.local.domain Hello [192.168.60.220]250-SIZE 52428800250-AUTH
LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250-DSN250 OK
[2019.09.19] 09:27:22.167 [192.168.60.220][3070269] cmd: AUTH PLAIN
<base64string>
[2019.09.19] 09:27:22.167 [192.168.60.220][3070269] rsp: 504 Unrecognized
authentication type.
When using proxy_mech LOGIN
[2019.09.20] 08:24:45.201 [192.168.60.220][24148464] cmd: AUTH LOGIN =
[2019.09.20] 08:24:45.201 [192.168.60.220][24148464] Exception: The input is
not a valid Base-64 string as it contains a non-base 64 character, more than
two padding characters, or an illegal character among the padding characters.
[2019.09.20] 08:24:45.201 [192.168.60.220][24148464] rsp: 535 Authentication
failed
# otherhost port 143 log
Works without specyfing proxy_mech
When using proxy_mech LOGIN (fails)
[2019.09.20] 03:37:20.896 [192.168.60.220][26310645] connected at 20.09.2019
03:37:20
[2019.09.20] 03:37:20.896 [192.168.60.220][26310645] command: C CAPABILITY
[2019.09.20] 03:37:20.896 [192.168.60.220][26310645] response: * CAPABILITY
IMAP4rev1 AUTH=CRAM-MD5 AUTH=PLAIN UIDPLUS QUOTA XLIST CHILDREN ENABLE IDLE
STARTTLS
[2019.09.20] 03:37:20.896 [192.168.60.220][26310645] response: C OK CAPABILITY
completed
[2019.09.20] 03:37:20.896 [192.168.60.220][26310645] command: L AUTHENTICATE
LOGIN
[2019.09.20] 03:37:20.927 [192.168.60.220][26310645] disconnected at 20.09.2019
03:37:20
I hope I explained my setup so it's kinda understandable. I'm not good at
explaining things :)
Thank you for your help!
root@mailfront-01:~# dovecot --version
2.3.7.2 (3c910f64b)
Sébastien RICCIO
SYSTEM ADMINISTRATOR
