Re[2]: Dovecot proxy: authentication best practices

2019-12-28 Thread William Edwards 

Hi Aki,

> 1.1 If I understand correctly, setting 'nopassword' in the proxy passdb file, 
> authentication is completely up to the destination host. Setting 'nopassword' 
> in no way means the proxy becomes an open relay. Is this correct?
> You still control where it proxies to.
> 1.2 Are there any security implications when using 'nopassword' on the proxy?
> As long as its really a proxy, probably no.

Ok, so assuming proper authentication is configured on the destination host, 
the answer to 1.1 is 'yes' and the answer to 1.2 is 'no'.

> userdb is ignored on proxies. For your usecase try following
> and into domains.passwd

Ah, yes, of course. I forgot Dovecot supports multiple passdb backends. I have 
added the domains.passwd backend as a fallback.

Thanks!


Met vriendelijke groeten,

William Edwards
T. 040 - 711 44 96
E. wedwa...@cyberfusion.nl




 
- Original Message -
From: Aki Tuomi (aki.tu...@open-xchange.com)
Date: 12/27/19 17:42
To: William Edwards (wedwa...@cyberfusion.nl), dovecot (dovecot@dovecot.org)
Subject: Re: Dovecot proxy: authentication best practices


On 27/12/2019 16:02 William Edwards  wrote:


Hi!

I have a few questions regarding Dovecot proxy:

1.
1.1 If I understand correctly, setting 'nopassword' in the proxy passdb file, 
authentication is completely up to the destination host. Setting 'nopassword' 
in no way means the proxy becomes an open relay. Is this correct?


You still control where it proxies to.

1.2 Are there any security implications when using 'nopassword' on the proxy?


As long as its really a proxy, probably no.

2.
2.1 I would like to avoid having to store all users in a passdb file on the 
proxy. I would much rather specify a domain for which Dovecot proxy will route 
all users to a specific host. Is there a way to let Dovecot proxy route to a 
destination host based on domain, so individual users don't have to be 
specified in the proxy passdb?
2.2 Is it correct that userdb does not have any effect on proxying and it can 
be left out of the config? Source: 
https://dovecot.org/pipermail/dovecot/2013-October/093138.html (point 2)

userdb is ignored on proxies. For your usecase try following

passdb {
  driver = passwd-file
  args = username_format=%Ld /etc/dovecot/domains.passwd
}

and into domains.passwd

domain.com::: nopassword proxy host=host1

colon count might be wrong

Met vriendelijke groeten,

William Edwards
T. 040 - 711 44 96
E. wedwa...@cyberfusion.nl

---
Aki Tuomi

Re: Dovecot proxy: authentication best practices

2019-12-27 Thread Aki Tuomi 


 
 
  
   
  
  
   
On 27/12/2019 16:02 William Edwards  wrote:
   
   

   
   

   
   

 Hi!


 


 I have a few questions regarding Dovecot proxy:


 


 1.


 1.1 If I understand correctly, setting 'nopassword' in the proxy passdb file, authentication is completely up to the destination host. Setting 'nopassword' in no way means the proxy becomes an open relay. Is this correct?

   
  
  
   
  
  
   You still control where it proxies to.
  
  
   

 1.2 Are there any security implications when using 'nopassword' on the proxy?


   
  
  
   
  
  
   As long as its really a proxy, probably no.
  
  
   

 2.


 2.1 I would like to avoid having to store all users in a passdb file on the proxy. I would much rather specify a domain for which Dovecot proxy will route all users to a specific host. Is there a way to let Dovecot proxy route to a destination host based on domain, so individual users don't have to be specified in the proxy passdb?


 2.2 Is it correct that userdb does not have any effect on proxying and it can be left out of the config? Source: https://dovecot.org/pipermail/dovecot/2013-October/093138.html (point 2)

   
  
  
   userdb is ignored on proxies. For your usecase try following
  
  
   
  
  
   passdb {
  
  
     driver = passwd-file
  
  
     args = username_format=%Ld /etc/dovecot/domains.passwd
  
  
   }
  
  
   
  
  
   and into domains.passwd
  
  
   
  
  
   domain.com::: nopassword proxy host=host1
  
  
   
  
  
   colon count might be wrong
  
  
   

 
 
  Met vriendelijke groeten,
 
 
  
 
 
  William Edwards
 T. 040 - 711 44 96
 
  E. wedwa...@cyberfusion.nl
 

   
  
  
   ---
Aki Tuomi

Dovecot proxy: authentication best practices

2019-12-27 Thread William Edwards 

Hi!

I have a few questions regarding Dovecot proxy:

1.
1.1 If I understand correctly, setting 'nopassword' in the proxy passdb file, 
authentication is completely up to the destination host. Setting 'nopassword' 
in no way means the proxy becomes an open relay. Is this correct?
1.2 Are there any security implications when using 'nopassword' on the proxy?

2.
2.1 I would like to avoid having to store all users in a passdb file on the 
proxy. I would much rather specify a domain for which Dovecot proxy will route 
all users to a specific host. Is there a way to let Dovecot proxy route to a 
destination host based on domain, so individual users don't have to be 
specified in the proxy passdb?
2.2 Is it correct that userdb does not have any effect on proxying and it can 
be left out of the config? Source: 
https://dovecot.org/pipermail/dovecot/2013-October/093138.html (point 2)


Met vriendelijke groeten,

William Edwards
T. 040 - 711 44 96
E. wedwa...@cyberfusion.nl