Re: [Dovecot] Dovecot proxy
Unfortunately, the requirement for this network is that the only pinhole
through the firewall between the main relay and the mail server is IMAP. My
thought was to ship a list of valid usernames to the imap relay that are
allowed to connect, and that list would be constructed from inside the LAN and
shipped to the DMZ via rsync.
I could set the default value of allow_nets and override it, but I am unsure
how best to do that in my situation. Maybe if I use a passwd-file on the
userdb, but keep the imap driver on the passdb?
aF
On 05/05/2014, at 4:24 PM, Jiri Bourek wrote:
> Is it possible to use backend's passdb on the relay server in your setup?
>
> If you are - for example - using SQL database as passdb on the backend, you
> can access it from relay server as well. Let's say you have "relay_enabled"
> column in the table of users, then you can use something like:
>
> select ... from users where user = ... and relay_enabled = true
>
> Users, who are not permitted access from internet, will get authentication
> failure
>
> If your passdb can't be shared this way (unix accounts, passwd-file etc.),
> this won't work of course. Maybe you can try to play around allow_nets
> (http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets), possibly
> combined with login_trusted_networks on backend
>
> The idea here is that your relay provides user's real IP and you use
> allow_nets extra field to restrict access to your internal network only. Not
> sure if this can work though, never tried.
>
>
> Alex Ferrara wrote:
>> Hi everyone,
>>
>> I have a problem that hopefully has an easy solution.
>>
>> I am setting up an IMAP proxy in a DMZ network. It will connect to
>> the real IMAP server and authenticate using "driver = imap", and this
>> I have working really nicely.
>>
>> What I want to do is have it look up a list of users that are allowed
>> to connect through the proxy before proxying the connection, as not
>> all users with an account are permitted to access their email from
>> the internet. I thought that using a post-login script would get me
>> out of trouble, but it isn't possible in a relay configuration.
>>
>>
>>
>> dovecot.conf
>>
>> ## Dovecot configuration file
>>
>> mail_uid = dovecot mail_gid = dovecot
>>
>> protocols = imap
>>
>> listen = *, ::
>>
>> passdb { driver = imap # IMAP server to authenticate against args =
>> host=192.168.1.1 # IMAP server to connect to for mailbox
>> default_fields = proxy=yes host=192.168.1.1 } userdb { driver =
>> prefetch }
>>
>> auth_mechanisms = plain login
>>
>> # This is the auth service used by Postfix to do dovecot auth.
>> service auth { unix_listener auth-userdb { } inet_listener { port =
>> 12345 } }
>>
>> ## ## SSL settings ##
>>
>> # These will need to ba adjusted to point to *your* certificates, not
>> mine 8-) # The ssl_ca line refers to the intermediate certificate
>> bundle which may or may not be required by your SSL provider
>>
>> ssl_cert => => => ALL:!LOW:!SSLv2:!EXP:!aNULL
Re: [Dovecot] Dovecot proxy
Is it possible to use backend's passdb on the relay server in your setup?
If you are - for example - using SQL database as passdb on the backend,
you can access it from relay server as well. Let's say you have
"relay_enabled" column in the table of users, then you can use something
like:
select ... from users where user = ... and relay_enabled = true
Users, who are not permitted access from internet, will get
authentication failure
If your passdb can't be shared this way (unix accounts, passwd-file
etc.), this won't work of course. Maybe you can try to play around
allow_nets
(http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets),
possibly combined with login_trusted_networks on backend
The idea here is that your relay provides user's real IP and you use
allow_nets extra field to restrict access to your internal network only.
Not sure if this can work though, never tried.
Alex Ferrara wrote:
Hi everyone,
I have a problem that hopefully has an easy solution.
I am setting up an IMAP proxy in a DMZ network. It will connect to
the real IMAP server and authenticate using "driver = imap", and this
I have working really nicely.
What I want to do is have it look up a list of users that are allowed
to connect through the proxy before proxying the connection, as not
all users with an account are permitted to access their email from
the internet. I thought that using a post-login script would get me
out of trouble, but it isn't possible in a relay configuration.
dovecot.conf
## Dovecot configuration file
mail_uid = dovecot mail_gid = dovecot
protocols = imap
listen = *, ::
passdb { driver = imap # IMAP server to authenticate against args =
host=192.168.1.1 # IMAP server to connect to for mailbox
default_fields = proxy=yes host=192.168.1.1 } userdb { driver =
prefetch }
auth_mechanisms = plain login
# This is the auth service used by Postfix to do dovecot auth.
service auth { unix_listener auth-userdb { } inet_listener { port =
12345 } }
## ## SSL settings ##
# These will need to ba adjusted to point to *your* certificates, not
mine 8-) # The ssl_ca line refers to the intermediate certificate
bundle which may or may not be required by your SSL provider
ssl_cert =
[Dovecot] Dovecot proxy
Hi everyone,
I have a problem that hopefully has an easy solution.
I am setting up an IMAP proxy in a DMZ network. It will connect to the real
IMAP server and authenticate using "driver = imap", and this I have working
really nicely.
What I want to do is have it look up a list of users that are allowed to
connect through the proxy before proxying the connection, as not all users with
an account are permitted to access their email from the internet. I thought
that using a post-login script would get me out of trouble, but it isn't
possible in a relay configuration.
dovecot.conf
## Dovecot configuration file
mail_uid = dovecot
mail_gid = dovecot
protocols = imap
listen = *, ::
passdb {
driver = imap
# IMAP server to authenticate against
args = host=192.168.1.1
# IMAP server to connect to for mailbox
default_fields = proxy=yes host=192.168.1.1
}
userdb {
driver = prefetch
}
auth_mechanisms = plain login
# This is the auth service used by Postfix to do dovecot auth.
service auth {
unix_listener auth-userdb {
}
inet_listener {
port = 12345
}
}
##
## SSL settings
##
# These will need to ba adjusted to point to *your* certificates, not mine 8-)
# The ssl_ca line refers to the intermediate certificate bundle which may or
may not be required by your SSL provider
ssl_cert =
Re: [Dovecot] Dovecot proxy and Postfix SASL
To be fair on this: The main driver behind this is security and having front end systems in a DMZ with only minimal (if any) access to the back end servers. Of course saslauthd will need SOME access to the remote (back-end) IMAP (one IP port?). But this can also be accomplished by having the front end Postfix authenticate on the Dovecot back-end by setting it up to talk to the auth process via an ip-listener ALSO on just one IP port. Does this make sense? AM I missing something? Andreas On 17-12-2013 14:48, Andreas Kasenides wrote: Can somebody please verify that currently (v 2.2.9) SMTP AUTH using SASL from Postfix with Dovecot proxy is still not supported as discussed in these threads (especially the first one)? http://www.dovecot.org/list/dovecot/2012-August/067977.html http://www.dovecot.org/list/dovecot/2011-May/059107.html As I understand it is possible to use saslauthd to do this by using the remote imap option (rimap). Such a facility is important since I am attempting to separate the outward facing servers (dovecot proxy, postfix relay) that have no knowledge of user databases from the backends. thanx Andreas
[Dovecot] Dovecot proxy and Postfix SASL
Can somebody please verify that currently (v 2.2.9) SMTP AUTH using SASL from Postfix with Dovecot proxy is still not supported as discussed in these threads (especially the first one)? http://www.dovecot.org/list/dovecot/2012-August/067977.html http://www.dovecot.org/list/dovecot/2011-May/059107.html As I understand it is possible to use saslauthd to do this by using the remote imap option (rimap). Such a facility is important since I am attempting to separate the outward facing servers (dovecot proxy, postfix relay) that have no knowledge of user databases from the backends. thanx Andreas
Re: [Dovecot] Dovecot proxy hooks
On 14.10.2013, at 21.22, d...@getodata.ro wrote: > I am interested in the possibility of using Dovecot IMAP/POP proxying > capabilities to analyze emails that are passing through and possibly modify > content on the fly. This subject has been discussed here [1] before. > I have tried the mail-filter plugin [2], but the hooks it uses are only > called in a non-proxy setup. > > Is there a practical way of doing this, or plans to add such a feature? > > Links: > [1]: http://dovecot.org/list/dovecot/2006-February/011704.html > [2]: http://www.dovecot.org/patches/2.2/mail-filter.tar.gz You can’t use the simple proxying feature for this. If you modify the mail content, it would require modifying quite a lot of different command outputs and there’s no way a proxy could do it without more or less reimplementing half of the IMAP server functionality. But what you could do is to use the imapc backend and the mail-filter.
[Dovecot] Dovecot proxy hooks
I am interested in the possibility of using Dovecot IMAP/POP proxying capabilities to analyze emails that are passing through and possibly modify content on the fly. This subject has been discussed here [1] before. I have tried the mail-filter plugin [2], but the hooks it uses are only called in a non-proxy setup. Is there a practical way of doing this, or plans to add such a feature? Links: [1]: http://dovecot.org/list/dovecot/2006-February/011704.html [2]: http://www.dovecot.org/patches/2.2/mail-filter.tar.gz
Re: [Dovecot] Dovecot proxy to Microsoft Exchange 2013
Hello Timo, I tried to compile this patch again on version 2.2.5 and I got the same error: /imap-proxy.c: In function âproxy_write_loginâ:// //imap-proxy.c:95: error: âstruct clientâ has no member named âpre_proxy_authâ// //imap-proxy.c: In function âimap_proxy_parse_lineâ:// //imap-proxy.c:216: error: âstruct clientâ has no member named âproxy_bannerâ// //imap-proxy.c:287: error: âstruct clientâ has no member named âpost_proxy_authâ/ Thanks, Ricardo Machini Em 25/06/2013 01:23, Ricardo Machini Barbosa escreveu: Timo, thanks for your help. But I can't compile with this patch: /imap-proxy.c: In function âproxy_write_loginâ:// //imap-proxy.c:95: error: âstruct clientâ has no member named âpre_proxy_authâ// //imap-proxy.c: In function âimap_proxy_parse_lineâ:// //imap-proxy.c:217: error: âstruct clientâ has no member named âproxy_bannerâ// //imap-proxy.c:288: error: âstruct clientâ has no member named âpost_proxy_authâ/ Em 24/06/2013 19:22, Timo Sirainen escreveu: On Mon, 2013-06-24 at 23:40 +0300, Timo Sirainen wrote: Looks like Exchange 2013 IMAP has broken command pipelining :( See if it gets fixed byhttp://hg.dovecot.org/dovecot-2.2/rev/6e8bbc150fa9 and the attached patch on top of that? If it works, I'll commit that patch too. Attached another patch that doesn't crash on successful logins :)
Re: [Dovecot] Dovecot proxy to Microsoft Exchange 2013
I'm wondering if this could have anything to do with how Exchange 2013 broke recipient verification? Discussed recently on the postfix list: http://postfix.1071664.n5.nabble.com/Semi-OT-Exchange-2013-SMTP-Callout-td58922.html In that thread there is this link to a Technet discussion: http://social.technet.microsoft.com/Forums/en-US/exchangesvrdeploy/thread/91c26fd2-aa0c-4006-9326-ece609bf4f67/ On 2013-06-25 6:52 AM, Timo Sirainen wrote: On 25.6.2013, at 13.36, Jerry wrote: On Mon, 24 Jun 2013 23:40:57 +0300 Timo Sirainen articulated: Looks like Exchange 2013 IMAP has broken command pipelining :( See if it gets fixed by http://hg.dovecot.org/dovecot-2.2/rev/6e8bbc150fa9 and the attached patch on top of that? If it works, I'll commit that patch too. Timo, I have not really been following this thread very closely, so I am not quite sure what the problem is exactly. I have a friend who has a friend who has input on Microsoft Exchange development. If you could supply me, perhaps off list if you desire, specifics of exactly what you believe Microsoft Exchange 2013 is doing incorrectly, I could forward this information on. You would need to be quite specific though. Generalizations would not be of any use. Looking at the first mail in this thread, it looks like when Dovecot sends within one TCP packet: C CAPABILITY L LOGIN "u...@domain.com.br" "123456" Exchange replies only to the CAPABILITY command with: * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN STARTTLS UIDPLUS CHILDREN IDLE NAMESPACE LITERAL+ C OK CAPABILITY completed. Then the session gets stuck, because Dovecot doesn't send anything, only expects Exchange to also handle the LOGIN command, but it's not doing that, most likely because it didn't think that two commands could be within a single TCP packet. -- Best regards, Charles Marcus I.T. Director Media Brokers International, Inc. 678.514.6224 | 678.514.6299 fax
Re: [Dovecot] Dovecot proxy to Microsoft Exchange 2013
On 25.6.2013, at 13.36, Jerry wrote: > On Mon, 24 Jun 2013 23:40:57 +0300 > Timo Sirainen articulated: > >> Looks like Exchange 2013 IMAP has broken command pipelining :( See if >> it gets fixed by http://hg.dovecot.org/dovecot-2.2/rev/6e8bbc150fa9 >> and the attached patch on top of that? If it works, I'll commit that >> patch too. > > Timo, I have not really been following this thread very closely, so I > am not quite sure what the problem is exactly. I have a friend who has > a friend who has input on Microsoft Exchange development. If you could > supply me, perhaps off list if you desire, specifics of exactly what > you believe Microsoft Exchange 2013 is doing incorrectly, I could > forward this information on. You would need to be quite specific > though. Generalizations would not be of any use. Looking at the first mail in this thread, it looks like when Dovecot sends within one TCP packet: C CAPABILITY L LOGIN "u...@domain.com.br" "123456" Exchange replies only to the CAPABILITY command with: * CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN STARTTLS UIDPLUS CHILDREN IDLE NAMESPACE LITERAL+ C OK CAPABILITY completed. Then the session gets stuck, because Dovecot doesn't send anything, only expects Exchange to also handle the LOGIN command, but it's not doing that, most likely because it didn't think that two commands could be within a single TCP packet.
Re: [Dovecot] Dovecot proxy to Microsoft Exchange 2013
On Mon, 24 Jun 2013 23:40:57 +0300 Timo Sirainen articulated: > Looks like Exchange 2013 IMAP has broken command pipelining :( See if > it gets fixed by http://hg.dovecot.org/dovecot-2.2/rev/6e8bbc150fa9 > and the attached patch on top of that? If it works, I'll commit that > patch too. Timo, I have not really been following this thread very closely, so I am not quite sure what the problem is exactly. I have a friend who has a friend who has input on Microsoft Exchange development. If you could supply me, perhaps off list if you desire, specifics of exactly what you believe Microsoft Exchange 2013 is doing incorrectly, I could forward this information on. You would need to be quite specific though. Generalizations would not be of any use. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __
Re: [Dovecot] Dovecot proxy to Microsoft Exchange 2013
Timo, thanks for your help. But I can't compile with this patch: /imap-proxy.c: In function âproxy_write_loginâ:// //imap-proxy.c:95: error: âstruct clientâ has no member named âpre_proxy_authâ// //imap-proxy.c: In function âimap_proxy_parse_lineâ:// //imap-proxy.c:217: error: âstruct clientâ has no member named âproxy_bannerâ// //imap-proxy.c:288: error: âstruct clientâ has no member named âpost_proxy_authâ/ Em 24/06/2013 19:22, Timo Sirainen escreveu: On Mon, 2013-06-24 at 23:40 +0300, Timo Sirainen wrote: Looks like Exchange 2013 IMAP has broken command pipelining :( See if it gets fixed by http://hg.dovecot.org/dovecot-2.2/rev/6e8bbc150fa9 and the attached patch on top of that? If it works, I'll commit that patch too. Attached another patch that doesn't crash on successful logins :)
Re: [Dovecot] Dovecot proxy to Microsoft Exchange 2013
On Mon, 2013-06-24 at 23:40 +0300, Timo Sirainen wrote:
> Looks like Exchange 2013 IMAP has broken command pipelining :( See if it gets
> fixed by http://hg.dovecot.org/dovecot-2.2/rev/6e8bbc150fa9 and the attached
> patch on top of that? If it works, I'll commit that patch too.
Attached another patch that doesn't crash on successful logins :)
diff -r f68a955f4c5c src/imap-login/client.h
--- a/src/imap-login/client.h Tue Jun 25 00:10:39 2013 +0300
+++ b/src/imap-login/client.h Tue Jun 25 01:21:15 2013 +0300
@@ -19,6 +19,7 @@
unsigned int cmd_finished:1;
unsigned int proxy_sasl_ir:1;
unsigned int proxy_seen_banner:1;
+ unsigned int proxy_no_pipelining:1;
unsigned int skip_line:1;
unsigned int id_logged:1;
unsigned int client_ignores_capability_resp_code:1;
diff -r f68a955f4c5c src/imap-login/imap-proxy.c
--- a/src/imap-login/imap-proxy.c Tue Jun 25 00:10:39 2013 +0300
+++ b/src/imap-login/imap-proxy.c Tue Jun 25 01:21:15 2013 +0300
@@ -63,8 +63,12 @@
unsigned int len;
const char *mech_name, *error;
- if (client->proxy_backend_capability == NULL)
+ if (client->proxy_backend_capability == NULL &&
+ client->common.proxy_state != IMAP_PROXY_STATE_CAPABILITY) {
str_append(str, "C CAPABILITY\r\n");
+ if (client->proxy_no_pipelining)
+ return 0;
+ }
if (client->common.proxy_mech == NULL) {
/* logging in normally - use LOGIN command */
@@ -88,6 +92,7 @@
sasl_client_new(client->common.proxy_mech, &sasl_set);
mech_name = sasl_client_mech_get_name(client->common.proxy_mech);
+ client->common.pre_proxy_auth = ioloop_timeval;
str_append(str, "L AUTHENTICATE ");
str_append(str, mech_name);
if (client->proxy_sasl_ir) {
@@ -122,6 +127,11 @@
str_sanitize(line, 160)));
return -1;
}
+ if (strstr(line, "Microsoft Exchange") != NULL) {
+ /* Exchange 2013 hangs if we send the CAPABILITY pipelined
+ with LOGIN */
+ client->proxy_no_pipelining = TRUE;
+ }
str = t_str_new(128);
if (strncmp(line + 5, "[CAPABILITY ", 12) == 0) {
@@ -203,6 +213,7 @@
output = login_proxy_get_ostream(client->login_proxy);
if (!imap_client->proxy_seen_banner) {
/* this is a banner */
+ client->proxy_banner = ioloop_timeval;
client->proxy_state = IMAP_PROXY_STATE_BANNER;
imap_client->proxy_seen_banner = TRUE;
if (proxy_input_banner(imap_client, output, line) < 0) {
@@ -270,9 +281,10 @@
return -1;
}
o_stream_nsend(output, str_data(str), str_len(str));
- return 1;
+ return 0;
} else if (strncmp(line, "L OK ", 5) == 0) {
/* Login successful. Send this line to client. */
+ client->post_proxy_auth = ioloop_timeval;
client->proxy_state = IMAP_PROXY_STATE_LOGIN;
str = t_str_new(128);
client_send_login_reply(imap_client, str, line + 5);
@@ -328,6 +340,14 @@
} else if (strncmp(line, "C ", 2) == 0) {
/* Reply to CAPABILITY command we sent, ignore it */
client->proxy_state = IMAP_PROXY_STATE_CAPABILITY;
+ if (imap_client->proxy_no_pipelining) {
+ str = t_str_new(128);
+ if (proxy_write_login(imap_client, str) < 0) {
+client_proxy_failed(client, TRUE);
+return -1;
+ }
+ o_stream_nsend(output, str_data(str), str_len(str));
+ }
return 0;
} else if (strncasecmp(line, "I ", 2) == 0 ||
strncasecmp(line, "* ID ", 5) == 0) {
Re: [Dovecot] Dovecot proxy to Microsoft Exchange 2013
On 19.6.2013, at 20.54, Ricardo Machini Barbosa wrote: > I am trying to do a proxy with dovecot to IMAP backend server that are using > Microsoft Exchange 2013. > I already did this with Microsoft Exchange 2007 and Microsoft Exchange 2010 > and it works perfectly! But with Microsoft Exchange 2013 I can not perform > LOGIN. > > The error log message is: > /imap-login: Error: proxy(u...@domain.com.br): Login for > exchange2013.domain.com.br:143 timed out in state=4 (after 30 secs, > local=x.x.x.x:59640)/ > > My troubleshoot was: > > - tcpdump on dovecot server side: >I can see the commands sent/received by Microsoft Exchange. But no the "OK > LOGIN" response. > > /* OK The Microsoft Exchange IMAP4 service in is ready.// > //C CAPABILITY// > //L LOGIN "u...@domain.com.br" "123456"// > //* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN STARTTLS UIDPLUS CHILDREN IDLE > NAMESPACE LITERAL+// > //C OK CAPABILITY completed./ Looks like Exchange 2013 IMAP has broken command pipelining :( See if it gets fixed by http://hg.dovecot.org/dovecot-2.2/rev/6e8bbc150fa9 and the attached patch on top of that? If it works, I'll commit that patch too. diff Description: Binary data
[Dovecot] Dovecot proxy to Microsoft Exchange 2013
Hello,
I am trying to do a proxy with dovecot to IMAP backend server that are
using Microsoft Exchange 2013.
I already did this with Microsoft Exchange 2007 and Microsoft Exchange
2010 and it works perfectly! But with Microsoft Exchange 2013 I can not
perform LOGIN.
The error log message is:
/imap-login: Error: proxy(u...@domain.com.br): Login for
exchange2013.domain.com.br:143 timed out in state=4 (after 30 secs,
local=x.x.x.x:59640)/
My troubleshoot was:
- tcpdump on dovecot server side:
I can see the commands sent/received by Microsoft Exchange. But no
the "OK LOGIN" response.
/* OK The Microsoft Exchange IMAP4 service in is ready.//
//C CAPABILITY//
//L LOGIN "u...@domain.com.br" "123456"//
//* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN STARTTLS UIDPLUS CHILDREN IDLE
NAMESPACE LITERAL+//
//C OK CAPABILITY completed./
- tcpdump with telnet login on dovecot server side:
Works fine.
/* OK The Microsoft Exchange IMAP4 service in is ready.//
//a login "u...@domain.com.br" "123456"//
//a OK LOGIN completed.//
//a logout//
//* BYE Microsoft Exchange Server 2013 IMAP4 server signing off.//
//a OK LOGOUT completed./
- Log verbose on Microsoft Exchange 2013.
Look like that Microsoft Exchange did not receive the login command.
Someone already tried do this with Microsoft Exchange 2013 ?
See bellow some information about my dovecot configuration:
/# 2.2.2: dovecot.conf//
//# OS: Linux 2.6.32-358.2.1.el6.centos.plus.x86_64 x86_64 CentOS
release 6.4 (Final)//
//
//base_dir = /var/run/dovecot///
//disable_plaintext_auth = no//
//listen = x.x.x.x//
//mbox_write_locks = fcntl//
//passdb {//
// args = /etc/dovecot/dovecot-ldap.conf.ext//
// driver = ldap//
//}//
//
//protocols = imap pop3//
//service imap-login {//
// inet_listener imap {//
//port = 143//
// }//
// inet_listener imaps {//
//port = 993//
//ssl = yes//
// }//
// process_min_avail = 4//
// service_count = 0//
// vsz_limit = 512 M//
//}//
//service pop3-login {//
// inet_listener pop3 {//
//port = 110//
// }//
// inet_listener pop3s {//
//port = 995//
//ssl = yes//
// }//
// process_min_avail = 4//
// service_count = 0//
// vsz_limit = 512 M//
//}//
//ssl_cert =
Re: [Dovecot] dovecot proxy ssl-parameter from database?
On 3.9.2012, at 16.32, Daniel Funke wrote: > So far all works fine. My question is the TLS or noTLS connection from the > client to the proxy. How can I make the ssl-parameter user-dependant? clients > to the old courier server should work without or with tls through the proxy > and clients to the new dovecot server should only work WITH TLS between > Client and proxy. (After migration of all clients the proxy should be > switched off an all clients connect directly to the dovecot server.) You can't. If disable_plaintext_auth=yes or ssl=required, Dovecot fails the login before any passdb or userdb lookup is done.
[Dovecot] dovecot proxy ssl-parameter from database?
Hi List,
I want to migrate my IMAP-users from an old Courier-IMAP-Server to a new
dovecot-Server. The old server supports IMAP without and with TLS. The
new one only with TLS.
To users should be migrated one by one with changing some client
parameters. To leave the servername of the imap server I want to use the
dovecot proxy during migration. the proxy uses a sql db to look for the
old or new host for every user.
So far all works fine. My question is the TLS or noTLS connection from
the client to the proxy. How can I make the ssl-parameter
user-dependant? clients to the old courier server should work without or
with tls through the proxy and clients to the new dovecot server should
only work WITH TLS between Client and proxy. (After migration of all
clients the proxy should be switched off an all clients connect directly
to the dovecot server.)
I tried with http://wiki2.dovecot.org/UserDatabase/ExtraFields and
returned a field "userdb_ssl" ("required" for host dovecot, "yes" for
host courier). But it doesn't work. A migrated user can still login
without tls to the proxy and the dovecot backend.
Any ideas?
Daniel
Here is my doveconf -n
# 2.1.9: /opt/dovecot/etc/dovecot/dovecot.conf
doveconf: Warning: service anvil { client_limit=1000 } is lower than
required under max. load (1503)
# OS: Linux 2.6.32-279.2.1.el6.x86_64 x86_64 CentOS release 6.3 (Final)
auth_mechanisms = plain login
default_process_limit = 500
disable_plaintext_auth = no
listen = *
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date ihave
passdb {
args = /opt/dovecot/etc/dovecot/sql.conf
driver = sql
}
protocols = imap pop3
service imap-login {
inet_listener imaps {
port = 0
}
}
service pop3-login {
inet_listener pop3s {
port = 0
}
}
ssl_cert =
Re: [Dovecot] Dovecot proxy/director and mail pop3/imap backend serviceon same server
I've already tortured Timo about that. check this thread out: http://www.dovecot.org/list/dovecot/2012-June/066315.html -Original Message- From: dovecot-boun...@dovecot.org [mailto:dovecot-boun...@dovecot.org] On Behalf Of Aerion Stevens Sent: Friday, June 22, 2012 4:50 PM To: dovecot@dovecot.org Subject: [Dovecot] Dovecot proxy/director and mail pop3/imap backend serviceon same server Hi all, I am interested in running a Dovecot Proxy(with Director) on the same server as the main Dovecot IMAP/POP3 service. I have a basic Proxy/Director configuration working, however I am struggling with getting the Proxy and IMAP/POP3 service to coexist on the same server. I plan to use three IMAP/POP3 servers with a NFS/maildir backend, and I am playing with Dovecot 2.1.5 at the moment. I have two seperate configurations, one for the Proxy/Director and one for the Dovecot IMAP/POP3 "mail backend servers". For this to work my thoughts are that I will need to run the Proxy/Director imap/pop3 login process on the standard ports 143, 110, 993, 995 and for the Dovecot IMAP/POP3 mail backend service running on the same server will need to use different ports (I decided to be 9143, 9110, 9993, 9995 for example). How do I tell the director to proxy incoming imap/pop3 connection to the mail backend servers running on ports 9143, 9110, 9993, 9995 rather than the default imap/pop3 ports? Using the default ports will clearly cause loops. Can anyone kindly provide an example snippet of config that tells the director to use different port for IMAP and POP3 proxy? I have so far found the following pages helpful to what I am working on: http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy http://wiki2.dovecot.org/PasswordDatabase/ExtraFields http://wiki2.dovecot.org/Director Cheers, Aerion.
[Dovecot] Dovecot proxy/director and mail pop3/imap backend service on same server
Hi all, I am interested in running a Dovecot Proxy(with Director) on the same server as the main Dovecot IMAP/POP3 service. I have a basic Proxy/Director configuration working, however I am struggling with getting the Proxy and IMAP/POP3 service to coexist on the same server. I plan to use three IMAP/POP3 servers with a NFS/maildir backend, and I am playing with Dovecot 2.1.5 at the moment. I have two seperate configurations, one for the Proxy/Director and one for the Dovecot IMAP/POP3 "mail backend servers". For this to work my thoughts are that I will need to run the Proxy/Director imap/pop3 login process on the standard ports 143, 110, 993, 995 and for the Dovecot IMAP/POP3 mail backend service running on the same server will need to use different ports (I decided to be 9143, 9110, 9993, 9995 for example). How do I tell the director to proxy incoming imap/pop3 connection to the mail backend servers running on ports 9143, 9110, 9993, 9995 rather than the default imap/pop3 ports? Using the default ports will clearly cause loops. Can anyone kindly provide an example snippet of config that tells the director to use different port for IMAP and POP3 proxy? I have so far found the following pages helpful to what I am working on: http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy http://wiki2.dovecot.org/PasswordDatabase/ExtraFields http://wiki2.dovecot.org/Director Cheers, Aerion.
Re: [Dovecot] dovecot proxy with nopassword and postfix sasl
On Sat, 2011-05-14 at 12:54 +0200, Simone Caruso wrote:
> Il 13/05/2011 15:07, Franco Rizzo ha scritto:
> > Hello thank you for your answer
> >
> > when I have this user in my passdb file
> > fra...@ozzir.ch:{plain}password::proxy host=xx.xx.xx.xx
> > postfix sasl accept only the password => password
> >
> > When I have this user in my passdb file
> > fra...@ozzir.ch:::nopassword proxy host=xx.xx.xx.xx
> > postfix sasl accept any password
> >
> And i think this is all normal...
> From:
> http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy
> I don't think it is allowed behaviour for Postfix to authenticate on a dovecot
> proxy.
Right. If you really want to, with v2.0 you could do:
protocol smtp {
passdb for your sql/ldap/whatever database that has passwords
}
protocol !smtp {
passdb for proxy without passwords
}
Re: [Dovecot] dovecot proxy with nopassword and postfix sasl
Il 13/05/2011 15:07, Franco Rizzo ha scritto:
> Hello thank you for your answer
>
> when I have this user in my passdb file
> fra...@ozzir.ch:{plain}password::proxy host=xx.xx.xx.xx
> postfix sasl accept only the password => password
>
> When I have this user in my passdb file
> fra...@ozzir.ch:::nopassword proxy host=xx.xx.xx.xx
> postfix sasl accept any password
>
And i think this is all normal...
From:
http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy
I don't think it is allowed behaviour for Postfix to authenticate on a dovecot
proxy.
I think u can solve the issue using the 2nd point of the Proxy tutorial:
"Let Dovecot proxy perform the authentication and login to remote server using
the proxy's master password"
or moving to sql/ldap userbase.
--
Simone Caruso
IT Consultant
p.iva: 03045250838
Re: [Dovecot] dovecot proxy with nopassword and postfix sasl
Hello thank you for your answer
when I have this user in my passdb file
fra...@ozzir.ch:{plain}password::proxy host=xx.xx.xx.xx
postfix sasl accept only the password => password
When I have this user in my passdb file
fra...@ozzir.ch:::nopassword proxy host=xx.xx.xx.xx
postfix sasl accept any password
as I said imap and pop3 refuse always a bad password
this is my postfix config
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
# and the common settings to enable SASL:
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = permit_mynetworks, reject_sender_login_mismatch,
permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_login_maps = mysql:/etc/postfix/mysql-smtpd_sender_login_maps.cf
#for outlook 2003 and outlook express > v6
broken_sasl_auth_clients = yes
Franco Rizzo
smime.p7s
Description: S/MIME cryptographic signature
Re: [Dovecot] dovecot proxy with nopassword and postfix sasl
You should explain better your environment and post your configurations... but this seems more a 'postfix' problem than a dovecot one. Regards -- Simone Caruso IT Consultant p.iva: 03045250838
[Dovecot] dovecot proxy with nopassword and postfix sasl
HI All I have setup a dovecot proxy with remote auth, value nopassword in the passdb to make the auth remotely. With pop3 and imap the authentication is made on the remote server and this work perfectly. I have tested with wrong and correct password. Then I have added the postfix sasl and this also works fine, the request is made to dovecot. My problem is that with this method I can give any password to postfix and mail is sent. In the debug it seams that a request is made to the remote server for auth. The smtp sasl auth is only refused when I put no password. Is it allowed to use postfix sasl auth with dovecot proxy auth on remote server ? Thank you Franco Rizzo smime.p7s Description: S/MIME cryptographic signature
Re: [Dovecot] dovecot proxy, imapproxy, perdition . . . or?
On Sat, 19 Mar 2011, Dennis Guhl wrote: On Sat, Mar 19, 2011 at 09:50:15PM +0100, Lorens Kockum wrote: Hi, I have two load-balanced dovecot servers using a single NFS mount. The version is 1.2.11. I chose this so that if one server [..] reasons, and also that dovecot has an included proxy, and that its performance is better than perdition. However on http://wiki.dovecot.org/HowTo/ImapProxy the feature "IMAP/POP3 server with proxy feature" is noted as "This model is still a bit unfinished in current code." Is this still true? There's also a general note that "This page was written quite a long time ago and may not match reality anymore" . . . I use 1.2.15 from Debian Lennys backports in a proxy configuration for a medium three digit number of users without any problems. Dennis UVM is using Dovecot 1.2.15 (stock) in a proxy setup (mysql driver) on top of a RedHat GFS cluster. >30K users. The proxy works very well; we used it to help make our migration from UW-IMAP transparent. We're looking at moving to 2.0 + director to route users to specific nodes for cache locality (hopefully better performance.) Jim
Re: [Dovecot] dovecot proxy, imapproxy, perdition . . . or?
We use proxy_maybe across several servers handling over 10,000 accounts with no problems. --Original Message-- From: Dennis Guhl Sender: dovecot-bounces+jkrejci=usinternet@dovecot.org To: dovecot@dovecot.org ReplyTo: dovecot@dovecot.org Subject: Re: [Dovecot] dovecot proxy, imapproxy, perdition . . . or? Sent: Mar 19, 2011 4:32 PM On Sat, Mar 19, 2011 at 09:50:15PM +0100, Lorens Kockum wrote: > Hi, > > I have two load-balanced dovecot servers using a single NFS > mount. The version is 1.2.11. I chose this so that if one server [..] > reasons, and also that dovecot has an included proxy, and > that its performance is better than perdition. However on > http://wiki.dovecot.org/HowTo/ImapProxy the feature "IMAP/POP3 > server with proxy feature" is noted as "This model is still a > bit unfinished in current code." > > Is this still true? There's also a general note that "This page > was written quite a long time ago and may not match reality > anymore" . . . I use 1.2.15 from Debian Lennys backports in a proxy configuration for a medium three digit number of users without any problems. Dennis Sent via BlackBerry from T-Mobile
Re: [Dovecot] dovecot proxy, imapproxy, perdition . . . or?
On Sat, Mar 19, 2011 at 09:50:15PM +0100, Lorens Kockum wrote: > Hi, > > I have two load-balanced dovecot servers using a single NFS > mount. The version is 1.2.11. I chose this so that if one server [..] > reasons, and also that dovecot has an included proxy, and > that its performance is better than perdition. However on > http://wiki.dovecot.org/HowTo/ImapProxy the feature "IMAP/POP3 > server with proxy feature" is noted as "This model is still a > bit unfinished in current code." > > Is this still true? There's also a general note that "This page > was written quite a long time ago and may not match reality > anymore" . . . I use 1.2.15 from Debian Lennys backports in a proxy configuration for a medium three digit number of users without any problems. Dennis
[Dovecot] dovecot proxy, imapproxy, perdition . . . or?
Hi, I have two load-balanced dovecot servers using a single NFS mount. The version is 1.2.11. I chose this so that if one server goes down the other will take up the load, and if my load is too much for one server I just have to add more identical servers. It works, but I wish to move to SAN storage because the NFS server is exhibiting irregular performance. (I spent a lot of time with tcpdump to check that it wasn't NFS locking problems). Performance is very important to me, not in the sense of many users but in the sense of quick response time, since the main use is as a webmail backend. That means that instead of load-balancing connections between servers I will have to partition users between servers (all on one to begin with) and direct users to the corresponding server. I expected to use perdition, but when reading up on that I found imapproxy, which could be interesting for performance reasons, and also that dovecot has an included proxy, and that its performance is better than perdition. However on http://wiki.dovecot.org/HowTo/ImapProxy the feature "IMAP/POP3 server with proxy feature" is noted as "This model is still a bit unfinished in current code." Is this still true? There's also a general note that "This page was written quite a long time ago and may not match reality anymore" . . .
[Dovecot] Dovecot Proxy - auth on proxy
Good afternoon list, I'm really struggling making this feature work: http://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy
Re: [Dovecot] Dovecot Proxy and environment variables
On Fri, 2010-01-15 at 17:27 +0100, BaQs wrote: > Ok, found what happens > > > I only catch public IP when using imap, not pop3. > > Any way to catch public IP using pop3 as well ? No. Hmm. I hadn't thought about this for a while. It would require some new XFORWARD command that sends it. But when to use it? There would be a couple of possibilities: a) Send it only when XFORWARD is listed in capabilities. This requires POP3 proxy to ask for CAPA, which it currently doesn't, so it adds an extra round trip = latency. b) Just always send the XFORWARD command and if it fails, just ignore the error. c) Send it when banner string contains something special, such as "Dovecot" string. d) Send it when configured by config file / passdb. I don't really like any of them. Perhaps b) wouldn't be too bad. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Dovecot Proxy and environment variables
Ok, found what happens I only catch public IP when using imap, not pop3. Any way to catch public IP using pop3 as well ? On Fri, 15 Jan 2010 11:33:11 -0500, Charles Marcus wrote: > On 2010-01-15, BaQs (serar...@baqs.net) wrote: >> I now use dovecot 1.2.9 on proxy, and 1.2.4 on destination server. > > Not that this will necessarily fix your problem (though it might) - if > you are using dovecot proxy with multiple dovecot servers, you really > should keep them all the same version...
Re: [Dovecot] Dovecot Proxy and environment variables
On 2010-01-15, BaQs (serar...@baqs.net) wrote: > I now use dovecot 1.2.9 on proxy, and 1.2.4 on destination server. Not that this will necessarily fix your problem (though it might) - if you are using dovecot proxy with multiple dovecot servers, you really should keep them all the same version...
Re: [Dovecot] Dovecot Proxy and environment variables
Hi all!
I now use dovecot 1.2.9 on proxy, and 1.2.4 on destination server.
Then, it seems that login_trusted_networks doesn't work any more, and
I've got private proxy's ip opensmtp database.
---destination server
More details may help:
mail_executable = /usr/local/libexec/dovecot/opensmtp.sh
/usr/local/libexec/dovecot/courier2dovecot.sh
opensmtp.sh:
echo "replace into opensmtp(ip,domain) VALUES('$IP','$DOMAIN');" | mysql
---destination server
---proxy
password_query = SELECT NULL AS password, host, 'Y' AS nologin, 'Y' AS
nodelay, 'Y' AS nopassword, 'Y' AS proxy,'%u' as user FROM proxy WHERE
domain = '%d'
---proxy
On Mon, 30 Nov 2009 17:05:40 +0100, BaQs wrote:
> Seems to work great!
>
> Thanks a lot, enormous!
>
> On Mon, 30 Nov 2009 10:37:02 -0500, Timo Sirainen wrote:
>> If you have Dovecot v1.2 in both proxy and destination servers, you can
>> just set in dest server login_trusted_networks to include the proxy's
> IP.
>>
>> On Nov 30, 2009, at 3:50 AM, BaQs wrote:
>>
>>>
>>> Hi List,
>>>
>>> Sorry to bother you again but nobody would have any solution ?
>>>
>>> I just want to get real IP on a dovecot behind a dovecot proxy.
>>>
>>> I am using dovecot 1.2.4 but can change version if a solution exists.
>>>
>>>
>>> Thanks a lot in advance,
>>> Pierre
>>>
>>> On Fri, 27 Nov 2009 16:25:53 +0100, BaQs wrote:
Dear list,
First of all, I am French so excuse my bad english.
I am
currently using dovecot proxy feature, using sql backend.
I "proxy" the
imap/pop requests to another server, let's say server2.
On server2, I use
a script to keep up to date a "pop before smtp auth" database.
I used
mail_executable = /path/to/this/script.sh ...
My problem is: the $IP
environment variable on server2 is the proxy's IP.
How could I give a
variable from proxy to server2, or simply get the real client public
> IP
>>> ?
Thanks a lot in advance for your answers
Pierre.
PS: let me also
thank very much dovecot developers and community !
>>>
Re: [Dovecot] Dovecot Proxy and environment variables
Seems to work great! Thanks a lot, enormous! On Mon, 30 Nov 2009 10:37:02 -0500, Timo Sirainen wrote: > If you have Dovecot v1.2 in both proxy and destination servers, you can > just set in dest server login_trusted_networks to include the proxy's IP. > > On Nov 30, 2009, at 3:50 AM, BaQs wrote: > >> >> Hi List, >> >> Sorry to bother you again but nobody would have any solution ? >> >> I just want to get real IP on a dovecot behind a dovecot proxy. >> >> I am using dovecot 1.2.4 but can change version if a solution exists. >> >> >> Thanks a lot in advance, >> Pierre >> >> On Fri, 27 Nov 2009 16:25:53 +0100, BaQs wrote: >>> Dear list, >>> >>> First of all, I am French so excuse my bad english. >>> >>> I am >>> currently using dovecot proxy feature, using sql backend. >>> >>> I "proxy" the >>> imap/pop requests to another server, let's say server2. >>> >>> On server2, I use >>> a script to keep up to date a "pop before smtp auth" database. >>> >>> I used >>> mail_executable = /path/to/this/script.sh ... >>> >>> My problem is: the $IP >>> environment variable on server2 is the proxy's IP. >>> >>> How could I give a >>> variable from proxy to server2, or simply get the real client public IP >> ? >>> >>> >>> Thanks a lot in advance for your answers >>> >>> Pierre. >>> >>> PS: let me also >>> thank very much dovecot developers and community ! >>
Re: [Dovecot] Dovecot Proxy and environment variables
If you have Dovecot v1.2 in both proxy and destination servers, you can just set in dest server login_trusted_networks to include the proxy's IP. On Nov 30, 2009, at 3:50 AM, BaQs wrote: > > Hi List, > > Sorry to bother you again but nobody would have any solution ? > > I just want to get real IP on a dovecot behind a dovecot proxy. > > I am using dovecot 1.2.4 but can change version if a solution exists. > > > Thanks a lot in advance, > Pierre > > On Fri, 27 Nov 2009 16:25:53 +0100, BaQs wrote: >> Dear list, >> >> First of all, I am French so excuse my bad english. >> >> I am >> currently using dovecot proxy feature, using sql backend. >> >> I "proxy" the >> imap/pop requests to another server, let's say server2. >> >> On server2, I use >> a script to keep up to date a "pop before smtp auth" database. >> >> I used >> mail_executable = /path/to/this/script.sh ... >> >> My problem is: the $IP >> environment variable on server2 is the proxy's IP. >> >> How could I give a >> variable from proxy to server2, or simply get the real client public IP > ? >> >> >> Thanks a lot in advance for your answers >> >> Pierre. >> >> PS: let me also >> thank very much dovecot developers and community ! >
Re: [Dovecot] Dovecot Proxy and environment variables
Hi List, Sorry to bother you again but nobody would have any solution ? I just want to get real IP on a dovecot behind a dovecot proxy. I am using dovecot 1.2.4 but can change version if a solution exists. Thanks a lot in advance, Pierre On Fri, 27 Nov 2009 16:25:53 +0100, BaQs wrote: > Dear list, > > First of all, I am French so excuse my bad english. > > I am > currently using dovecot proxy feature, using sql backend. > > I "proxy" the > imap/pop requests to another server, let's say server2. > > On server2, I use > a script to keep up to date a "pop before smtp auth" database. > > I used > mail_executable = /path/to/this/script.sh ... > > My problem is: the $IP > environment variable on server2 is the proxy's IP. > > How could I give a > variable from proxy to server2, or simply get the real client public IP ? > > > Thanks a lot in advance for your answers > > Pierre. > > PS: let me also > thank very much dovecot developers and community !
[Dovecot] Dovecot Proxy and environment variables
Dear list, First of all, I am French so excuse my bad english. I am currently using dovecot proxy feature, using sql backend. I "proxy" the imap/pop requests to another server, let's say server2. On server2, I use a script to keep up to date a "pop before smtp auth" database. I used mail_executable = /path/to/this/script.sh ... My problem is: the $IP environment variable on server2 is the proxy's IP. How could I give a variable from proxy to server2, or simply get the real client public IP ? Thanks a lot in advance for your answers Pierre. PS: let me also thank very much dovecot developers and community !
Re: [Dovecot] Dovecot Proxy
On Thu, 2009-08-13 at 12:18 -0400, Michel Bulgado wrote: > I have installed Dovecot as a POP3 server, IMAP on my internal > network, the authentication against Windows Active Directory. Okay.. > I would like to know how to setup a second server dovecot as my proxy > server for external users outside the network, in another segment of > different IP addresses, or at least define which mailboxes will be > stored on another server to be accessible to both servers. Did I understand correctly: 1) You'll have some users in server 1 2) You'll have some other users in server 2 3) If server 2 users log into server 1, they'll get proxied to server 2? > I have reviewed the document on the wiki site, but I said that is only > possible with mysql authentication, but as I said the road where the > messages are stored, it is possible for NFS? I don't understand what authentication has to do with NFS. Or what NFS in general has to do with your setup. signature.asc Description: This is a digitally signed message part
[Dovecot] Dovecot Proxy
Hello I have installed Dovecot as a POP3 server, IMAP on my internal network, the authentication against Windows Active Directory. I would like to know how to setup a second server dovecot as my proxy server for external users outside the network, in another segment of different IP addresses, or at least define which mailboxes will be stored on another server to be accessible to both servers. I have reviewed the document on the wiki site, but I said that is only possible with mysql authentication, but as I said the road where the messages are stored, it is possible for NFS? Thanks Michel
[Dovecot] Dovecot proxy server
Hello I have installed Dovecot as a POP3 server, IMAP on my internal network, the authentication against Windows Active Directory. I would like to know how to setup a second server dovecot as my proxy server for external users outside the network, in another segment of different IP addresses, or at least define which mailboxes will be stored on another server to be accessible to both servers. I have reviewed the document on the wiki site, but I said that is only possible with mysql authentication, but as I said the road where the messages are stored, it is possible for NFS? Thanks Michel -- Webmail, servicio de correo electronico Casa de las Americas - La Habana, Cuba.
Re: [Dovecot] Dovecot Proxy with MySQL auth
The proxy_maybe is working well for us with MySQL auth. We have a much more complicated SQL query as we are doing a lot more but the example was able to get us the correct Dovecot specific portion working. Thanks for the info we are starting to migrate users over to Dovecot now that we put these proxy_maybe servers in front of our legacy pop/imap server. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin Krejci Sent: Sunday, November 30, 2008 1:50 AM To: 'Timo Sirainen' Cc: 'Dovecot Mailing List' Subject: Re: [Dovecot] Dovecot Proxy with MySQL auth The info is appreciated, thanks for the update! We will try it out and respond with feedback. -Original Message- From: Timo Sirainen [mailto:[EMAIL PROTECTED] Sent: Saturday, November 29, 2008 7:49 PM To: Justin Krejci Cc: 'Dovecot Mailing List' Subject: Re: [Dovecot] Dovecot Proxy with MySQL auth On Wed, 2008-11-26 at 11:56 -0600, Justin Krejci wrote: > http://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy > > At the bottom of this page it gives a query example of "SELECT NULL AS > password, ." but that does not seem to allow for us to use the proxy_maybe Right. The example is for a proxy-only server that doesn't know the users' passwords. I added just now another example there that shows how to use proxy_maybe. It's untested though, so please let me know if it doesn't work.
Re: [Dovecot] Dovecot Proxy with MySQL auth
The info is appreciated, thanks for the update! We will try it out and respond with feedback. -Original Message- From: Timo Sirainen [mailto:[EMAIL PROTECTED] Sent: Saturday, November 29, 2008 7:49 PM To: Justin Krejci Cc: 'Dovecot Mailing List' Subject: Re: [Dovecot] Dovecot Proxy with MySQL auth On Wed, 2008-11-26 at 11:56 -0600, Justin Krejci wrote: > http://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy > > At the bottom of this page it gives a query example of "SELECT NULL AS > password, ." but that does not seem to allow for us to use the proxy_maybe Right. The example is for a proxy-only server that doesn't know the users' passwords. I added just now another example there that shows how to use proxy_maybe. It's untested though, so please let me know if it doesn't work.
Re: [Dovecot] Dovecot Proxy with MySQL auth
On Wed, 2008-11-26 at 11:56 -0600, Justin Krejci wrote: > http://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy > > At the bottom of this page it gives a query example of "SELECT NULL AS > password, ." but that does not seem to allow for us to use the proxy_maybe Right. The example is for a proxy-only server that doesn't know the users' passwords. I added just now another example there that shows how to use proxy_maybe. It's untested though, so please let me know if it doesn't work. signature.asc Description: This is a digitally signed message part
Re: [Dovecot] Dovecot Proxy with MySQL auth
I get the feeling not many people are using Dovecot proxy with MySQL auth. Is there anyone who has done this before? We might end up going with something like NGINX for the proxy instead if we cannot figure out if and how this should work for our type of scenario but it would be nice if we could go with fewer components. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin Krejci Sent: Wednesday, November 26, 2008 11:57 AM To: 'Dovecot Mailing List' Subject: [Dovecot] Dovecot Proxy with MySQL auth We are looking at deploying several pop/imap servers to house the mail for 15,000 or more mailbox accounts. We are contemplating on the design and are looking at using MySQL auth (we already have a MySQL environment in place for our user auth to live) and proxy_maybe so each server can proxy for all the others and we just have a network load balancer distribute the incoming connections to all of the Dovecot servers. Each server would have its own local maildir storage for the users local to that server and all of the authentication and target backend pop/imap server data would be stored in the same MySQL database. The problem we are running into is the documentation is not very clear on this type of scenario. http://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy At the bottom of this page it gives a query example of "SELECT NULL AS password, ." but that does not seem to allow for us to use the proxy_maybe if the destination server is localhost (and therefore do not proxy) it does not seem that the above query will actually send the real password for authentication. Is this a misunderstanding on our part or is the use of mysql auth + proxy_maybe not feasible? Assuming the latter we surmised using a separate instance of Dovecot on each machine to act solely as a proxy front end (use proxy instead of proxy_maybe) then on the second instance there is no proxy config and it listens on a separate TCP port like 80143 or whatever. Any input or suggestions would be appreciated. Justin Krejci
[Dovecot] Dovecot Proxy with MySQL auth
We are looking at deploying several pop/imap servers to house the mail for 15,000 or more mailbox accounts. We are contemplating on the design and are looking at using MySQL auth (we already have a MySQL environment in place for our user auth to live) and proxy_maybe so each server can proxy for all the others and we just have a network load balancer distribute the incoming connections to all of the Dovecot servers. Each server would have its own local maildir storage for the users local to that server and all of the authentication and target backend pop/imap server data would be stored in the same MySQL database. The problem we are running into is the documentation is not very clear on this type of scenario. http://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy At the bottom of this page it gives a query example of "SELECT NULL AS password, ." but that does not seem to allow for us to use the proxy_maybe if the destination server is localhost (and therefore do not proxy) it does not seem that the above query will actually send the real password for authentication. Is this a misunderstanding on our part or is the use of mysql auth + proxy_maybe not feasible? Assuming the latter we surmised using a separate instance of Dovecot on each machine to act solely as a proxy front end (use proxy instead of proxy_maybe) then on the second instance there is no proxy config and it listens on a separate TCP port like 80143 or whatever. Any input or suggestions would be appreciated. Justin Krejci
