I tried some more things, such as setting starttls=NULL or ssl=NULL, which does
the same as setting it to „no“. Interestingly, if I set ssl=NULL and don’t set
starttls at all, it still tries an SSL connection to the backend.
Is there no way to use starttls or ssl depending on a variable? It could also
be possible that I have starttls-backends and ssl-backends which would be a
similar use-case to my sieve-thing, I think.
Cheers,
Filias
> Am 17.09.2018 um 11:54 schrieb Filias Heidt :
>
> Hi List,
>
> I have a dovecot which proxies to different backends depending on an entry in
> a mysql-database. The mysql-query sets ‚ssl‘ to ‚any-cert‘ and this works
> fine. But this causes me a problem: sieve-backends only support STARTTLS and
> if I set ‚ssl‘ to ‚any-cert‘ (or yes), it will attempt a TLS-connection to
> the sieve-backends, which fails.
>
> My attempt was to alter the query to include %{real_lport} and return
> ‚ssl=no‘ and ‚starttls=any-cert‘ if the port matches the sieve-port. It works
> as expected in that it returns the correct values and proxies to the correct
> backend.
>
> However it seems that TLS is no longer working and I get timeouts from the
> backends.
>
> Debug: client passdb out: OK 1 user=someu...@example.com proxy
> proxy_nopipelining=yhost=backend1.example.com nodelay=y
> nologin starttls=no ssl=any-certhostip=so.me.i.ppass=
>
> results in:
> Sep 17 11:08:47 imapproxy1 dovecot: imap-login: Error:
> proxy(someu...@example.com): Login for so.me.i.p:993 timed out in state=/none
> (after 30 secs, local=lo.cal.i.p:60524): user=,
> method=PLAIN, rip=re.mo.te.ip, lip=lo.cal.i.p, TLS,
> session=
>
> My query looks like this:
> password_query = SELECT host from proxy_domain, NULL as password, 'y' as
> nopassword, 'y' as proxy, NULL as destuser, 'y' as proxy_nopipelining, 'y' as
> nodelay, 'y' as nologin, IF(%{real_lport}=4190, 'any-cert', 'no') as
> 'starttls', IF(%{real_lport}<>4190, 'any-cert', 'no') as 'ssl‘;
>
> As soon as I remove the starttls-part and the passdb only returns
> ssl=any-cert (without starttls=no) it works flawlessly.
>
> Is it possible that I am attacking the problem the wrong way? Or is it not
> possible to set both starttls and ssl to some values in passdb and
> enable/disable them as needed?
>
> Thanks for any input :)
>
> Cheers,
> Filias