Re: Using both starttls and ssl in passdb on proxy results in timeouts

2018-09-18 Thread Filias Heidt 
I tried some more things, such as setting starttls=NULL or ssl=NULL, which does 
the same as setting it to „no“. Interestingly, if I set ssl=NULL and don’t set 
starttls at all, it still tries an SSL connection to the backend. 

Is there no way to use starttls or ssl depending on a variable? It could also 
be possible that I have starttls-backends and ssl-backends which would be a 
similar use-case to my sieve-thing, I think.

Cheers,
Filias

> Am 17.09.2018 um 11:54 schrieb Filias Heidt :
> 
> Hi List,
> 
> I have a dovecot which proxies to different backends depending on an entry in 
> a mysql-database. The mysql-query sets ‚ssl‘ to ‚any-cert‘ and this works 
> fine. But this causes me a problem: sieve-backends only support STARTTLS and 
> if I set ‚ssl‘ to ‚any-cert‘ (or yes), it will attempt a TLS-connection to 
> the sieve-backends, which fails. 
> 
> My attempt was to alter the query to include %{real_lport} and return 
> ‚ssl=no‘ and ‚starttls=any-cert‘ if the port matches the sieve-port. It works 
> as expected in that it returns the correct values and proxies to the correct 
> backend. 
> 
> However it seems that TLS is no longer working and I get timeouts from the 
> backends.
> 
> Debug: client passdb out: OK  1   user=someu...@example.com   proxy   
> proxy_nopipelining=yhost=backend1.example.com   nodelay=y   
> nologin starttls=no ssl=any-certhostip=so.me.i.ppass=
> 
> results in:
> Sep 17 11:08:47 imapproxy1 dovecot: imap-login: Error: 
> proxy(someu...@example.com): Login for so.me.i.p:993 timed out in state=/none 
> (after 30 secs, local=lo.cal.i.p:60524): user=, 
> method=PLAIN, rip=re.mo.te.ip, lip=lo.cal.i.p, TLS, 
> session=
> 
> My query looks like this:
> password_query = SELECT host from proxy_domain, NULL as password, 'y' as 
> nopassword, 'y' as proxy, NULL as destuser, 'y' as proxy_nopipelining, 'y' as 
> nodelay, 'y' as nologin, IF(%{real_lport}=4190, 'any-cert', 'no') as 
> 'starttls', IF(%{real_lport}<>4190, 'any-cert', 'no') as 'ssl‘;
> 
> As soon as I remove the starttls-part and the passdb only returns 
> ssl=any-cert (without starttls=no) it works flawlessly.
> 
> Is it possible that I am attacking the problem the wrong way? Or is it not 
> possible to set both starttls and ssl to some values in passdb and 
> enable/disable them as needed? 
> 
> Thanks for any input :)
> 
> Cheers,
> Filias

Using both starttls and ssl in passdb on proxy results in timeouts

2018-09-17 Thread Filias Heidt 
Hi List,

I have a dovecot which proxies to different backends depending on an entry in a 
mysql-database. The mysql-query sets ‚ssl‘ to ‚any-cert‘ and this works fine. 
But this causes me a problem: sieve-backends only support STARTTLS and if I set 
‚ssl‘ to ‚any-cert‘ (or yes), it will attempt a TLS-connection to the 
sieve-backends, which fails. 

My attempt was to alter the query to include %{real_lport} and return ‚ssl=no‘ 
and ‚starttls=any-cert‘ if the port matches the sieve-port. It works as 
expected in that it returns the correct values and proxies to the correct 
backend. 

However it seems that TLS is no longer working and I get timeouts from the 
backends.

Debug: client passdb out: OK1   user=someu...@example.com   proxy   
proxy_nopipelining=yhost=backend1.example.com   nodelay=y   nologin 
starttls=no ssl=any-certhostip=so.me.i.ppass=

results in:
Sep 17 11:08:47 imapproxy1 dovecot: imap-login: Error: 
proxy(someu...@example.com): Login for so.me.i.p:993 timed out in state=/none 
(after 30 secs, local=lo.cal.i.p:60524): user=, 
method=PLAIN, rip=re.mo.te.ip, lip=lo.cal.i.p, TLS, 
session=

My query looks like this:
password_query = SELECT host from proxy_domain, NULL as password, 'y' as 
nopassword, 'y' as proxy, NULL as destuser, 'y' as proxy_nopipelining, 'y' as 
nodelay, 'y' as nologin, IF(%{real_lport}=4190, 'any-cert', 'no') as 
'starttls', IF(%{real_lport}<>4190, 'any-cert', 'no') as 'ssl‘;

As soon as I remove the starttls-part and the passdb only returns ssl=any-cert 
(without starttls=no) it works flawlessly.

Is it possible that I am attacking the problem the wrong way? Or is it not 
possible to set both starttls and ssl to some values in passdb and 
enable/disable them as needed? 

Thanks for any input :)

Cheers,
Filias