Re: Proxy secured incoming POP3/IMAP4 to unsecure backend?
Ok, got that! After I remover ssl=no it seems to start working as expected. Will know that 'by design' feature for Dovecot, THANK YOU! On Mon, Sep 17, 2018 at 5:34 PM Aki Tuomi wrote: > auth process receives the protocol requested when performing > authentication as variable %s (see https://wiki2.dovecot.org/Variables) > > You can use this to choose the value you return for port. > > Aki > > > On 17 September 2018 at 16:56 Alexander Chekalin < > alexander.cheka...@gmail.com> wrote: > > > > > > Seen that URL but port= is strange due to there is no protocol > connection. > > So if I set port=12345 then what proto will I see there? Misleading > setting > > this is why I mentioned (non-existing) per-proto port setting above. > > > > May I please ask for any example on how to pass port per proto? It is a > bit > > fuzzy for me to figure it out but I do believe you used to use it > somehow. > > > > On Mon, Sep 17, 2018 at 4:42 PM Aki Tuomi wrote: > > > > > The port is determined with port=nnn setting. You can't return > > > per-protocol port like that, you need to look at the protocol > requested by > > > user and return port based on that, or you can omit port to default > into > > > "standard port". > > > > > > not using ssl/starttls is default. > > > > > > > On 17 September 2018 at 16:35 Alexander Chekalin < > > > alexander.cheka...@gmail.com> wrote: > > > > > > > > > > > > Thank you! > > > > > > > > Ok, so I can omit ssl=no and startssl=no, and this results in default > > > > settings for ssl which is 'off'? Or the defaults are 'on' anyway? > > > > > > > > Can I somehow specify ports on remote hosts that proxy will use to > > > connect > > > > to? Like (just image): 'proxy host_imap=10.1.1.1:143 host_pop= > > > 10.1.1.1:110' > > > > or somehow? > > > > > > > > > > > > > > > > > > > > On Mon, Sep 17, 2018 at 4:33 PM Aki Tuomi > wrote: > > > > > > > > > Due to certain design issues, the ssl=no is actually same as > ssl=yes, > > > same > > > > > goes for starttls=no. So there is no support actually for "ssl=no" > at > > > this > > > > > moment. > > > > > > > > > > Aki > > > > > > > > > > > On 17 September 2018 at 15:32 Alexander Chekalin < > > > > > alexander.cheka...@gmail.com> wrote: > > > > > > > > > > > > > > > > > > Surely. > > > > > > > > > > > > Here it is: > > > > > > > > > > > > # doveadm auth u...@domain.com > > > > > > Password: > > > > > > passdb: chekalin_...@ascon.ru auth succeeded > > > > > > extra fields: > > > > > > user=u...@domain.com > > > > > > proxy > > > > > > host=10.10.14.131 > > > > > > ssl=no > > > > > > startssl=no > > > > > > source_ip=10.10.14.2 > > > > > > proxy > > > > > > proxy > > > > > > pass=password > > > > > > > > > > > > Two "proxy" are from two "proxy" and "proxy=yes" settings passed > from > > > > > > passdb. > > > > > > > > > > > > On Mon, Sep 17, 2018 at 3:03 PM Aki Tuomi > > > wrote: > > > > > > > > > > > > > Can you provide output of > > > > > > > > > > > > > > doveadm auth test some-user > > > > > > > Aki > > > > > > > > > > > > > > On 17.09.2018 14:58, Alexander Chekalin wrote: > > > > > > > > > > > > > > Dear Aki, > > > > > > > > > > > > > > we keep our users in LDAP so I when I even return 'proxy > > > > > host=backend_ip > > > > > > > tls=no' it won't use non-TLS connection. The same is when I > remove > > > > > 'tls=no' > > > > > > > part. May there be any extra things I need to pass when I use > LDAP? > > > > > > > > > > > > > > On Mon, Sep 17, 2018 at 2:07 PM Aki Tuomi < > aki.tu...@dovecot.fi> > > > > > wrote: > > > > > > > > > > > > > >> > > > > > > >> > > > > > > >> On 17.09.2018 13:59, Alexander Chekalin wrote: > > > > > > >> > Hi, > > > > > > >> > > > > > > > >> > I try to set up dovecot as a proxy server, to proxy > requests to > > > > > > >> > several dovecot-based backend servers. I wand external > clients > > > who > > > > > > >> > connects to this proxy Dovecot to use TLS (this is easy to > set > > > up) > > > > > > >> > while want to have unsecured (plain IMAP/POP) connections to > > > > > backends. > > > > > > >> > > > > > > > >> > You see, links to backends are over LAN so no TLS needed, > and > > > these > > > > > > >> > backends are poor old machines (with old Docecots like > 2.0.6) > > > this > > > > > is > > > > > > >> > why I don't want to use TLS to acces backends. > > > > > > >> > > > > > > > >> > But as I did the test setup I can see proxy Dovecot uses > TLS to > > > > > > >> > connect to backends. Is there any way I can specify this > aspect > > > of > > > > > > >> > Dovecot proxy? > > > > > > >> > > > > > > > >> > Please advice! > > > > > > >> > > > > > > > >> > Yours, > > > > > > >> > Alexander > > > > > > >> > > > > > > >> Dovecot does not use TLS/SSL when connecting to a backend > server > > > by > > > > > > >> default, you are probably specifying this in your proxy > config or > > > > > > >> password database. > > > > > > >> > > > > > > >> Aki > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > >
Re: Proxy secured incoming POP3/IMAP4 to unsecure backend?
auth process receives the protocol requested when performing authentication as variable %s (see https://wiki2.dovecot.org/Variables) You can use this to choose the value you return for port. Aki > On 17 September 2018 at 16:56 Alexander Chekalin > wrote: > > > Seen that URL but port= is strange due to there is no protocol connection. > So if I set port=12345 then what proto will I see there? Misleading setting > this is why I mentioned (non-existing) per-proto port setting above. > > May I please ask for any example on how to pass port per proto? It is a bit > fuzzy for me to figure it out but I do believe you used to use it somehow. > > On Mon, Sep 17, 2018 at 4:42 PM Aki Tuomi wrote: > > > The port is determined with port=nnn setting. You can't return > > per-protocol port like that, you need to look at the protocol requested by > > user and return port based on that, or you can omit port to default into > > "standard port". > > > > not using ssl/starttls is default. > > > > > On 17 September 2018 at 16:35 Alexander Chekalin < > > alexander.cheka...@gmail.com> wrote: > > > > > > > > > Thank you! > > > > > > Ok, so I can omit ssl=no and startssl=no, and this results in default > > > settings for ssl which is 'off'? Or the defaults are 'on' anyway? > > > > > > Can I somehow specify ports on remote hosts that proxy will use to > > connect > > > to? Like (just image): 'proxy host_imap=10.1.1.1:143 host_pop= > > 10.1.1.1:110' > > > or somehow? > > > > > > > > > > > > > > > On Mon, Sep 17, 2018 at 4:33 PM Aki Tuomi wrote: > > > > > > > Due to certain design issues, the ssl=no is actually same as ssl=yes, > > same > > > > goes for starttls=no. So there is no support actually for "ssl=no" at > > this > > > > moment. > > > > > > > > Aki > > > > > > > > > On 17 September 2018 at 15:32 Alexander Chekalin < > > > > alexander.cheka...@gmail.com> wrote: > > > > > > > > > > > > > > > Surely. > > > > > > > > > > Here it is: > > > > > > > > > > # doveadm auth u...@domain.com > > > > > Password: > > > > > passdb: chekalin_...@ascon.ru auth succeeded > > > > > extra fields: > > > > > user=u...@domain.com > > > > > proxy > > > > > host=10.10.14.131 > > > > > ssl=no > > > > > startssl=no > > > > > source_ip=10.10.14.2 > > > > > proxy > > > > > proxy > > > > > pass=password > > > > > > > > > > Two "proxy" are from two "proxy" and "proxy=yes" settings passed from > > > > > passdb. > > > > > > > > > > On Mon, Sep 17, 2018 at 3:03 PM Aki Tuomi > > wrote: > > > > > > > > > > > Can you provide output of > > > > > > > > > > > > doveadm auth test some-user > > > > > > Aki > > > > > > > > > > > > On 17.09.2018 14:58, Alexander Chekalin wrote: > > > > > > > > > > > > Dear Aki, > > > > > > > > > > > > we keep our users in LDAP so I when I even return 'proxy > > > > host=backend_ip > > > > > > tls=no' it won't use non-TLS connection. The same is when I remove > > > > 'tls=no' > > > > > > part. May there be any extra things I need to pass when I use LDAP? > > > > > > > > > > > > On Mon, Sep 17, 2018 at 2:07 PM Aki Tuomi > > > > wrote: > > > > > > > > > > > >> > > > > > >> > > > > > >> On 17.09.2018 13:59, Alexander Chekalin wrote: > > > > > >> > Hi, > > > > > >> > > > > > > >> > I try to set up dovecot as a proxy server, to proxy requests to > > > > > >> > several dovecot-based backend servers. I wand external clients > > who > > > > > >> > connects to this proxy Dovecot to use TLS (this is easy to set > > up) > > > > > >> > while want to have unsecured (plain IMAP/POP) connections to > > > > backends. > > > > > >> > > > > > > >> > You see, links to backends are over LAN so no TLS needed, and > > these > > > > > >> > backends are poor old machines (with old Docecots like 2.0.6) > > this > > > > is > > > > > >> > why I don't want to use TLS to acces backends. > > > > > >> > > > > > > >> > But as I did the test setup I can see proxy Dovecot uses TLS to > > > > > >> > connect to backends. Is there any way I can specify this aspect > > of > > > > > >> > Dovecot proxy? > > > > > >> > > > > > > >> > Please advice! > > > > > >> > > > > > > >> > Yours, > > > > > >> > Alexander > > > > > >> > > > > > >> Dovecot does not use TLS/SSL when connecting to a backend server > > by > > > > > >> default, you are probably specifying this in your proxy config or > > > > > >> password database. > > > > > >> > > > > > >> Aki > > > > > >> > > > > > > > > > > > > > > > > > >
Re: Proxy secured incoming POP3/IMAP4 to unsecure backend?
Seen that URL but port= is strange due to there is no protocol connection. So if I set port=12345 then what proto will I see there? Misleading setting this is why I mentioned (non-existing) per-proto port setting above. May I please ask for any example on how to pass port per proto? It is a bit fuzzy for me to figure it out but I do believe you used to use it somehow. On Mon, Sep 17, 2018 at 4:42 PM Aki Tuomi wrote: > The port is determined with port=nnn setting. You can't return > per-protocol port like that, you need to look at the protocol requested by > user and return port based on that, or you can omit port to default into > "standard port". > > not using ssl/starttls is default. > > > On 17 September 2018 at 16:35 Alexander Chekalin < > alexander.cheka...@gmail.com> wrote: > > > > > > Thank you! > > > > Ok, so I can omit ssl=no and startssl=no, and this results in default > > settings for ssl which is 'off'? Or the defaults are 'on' anyway? > > > > Can I somehow specify ports on remote hosts that proxy will use to > connect > > to? Like (just image): 'proxy host_imap=10.1.1.1:143 host_pop= > 10.1.1.1:110' > > or somehow? > > > > > > > > > > On Mon, Sep 17, 2018 at 4:33 PM Aki Tuomi wrote: > > > > > Due to certain design issues, the ssl=no is actually same as ssl=yes, > same > > > goes for starttls=no. So there is no support actually for "ssl=no" at > this > > > moment. > > > > > > Aki > > > > > > > On 17 September 2018 at 15:32 Alexander Chekalin < > > > alexander.cheka...@gmail.com> wrote: > > > > > > > > > > > > Surely. > > > > > > > > Here it is: > > > > > > > > # doveadm auth u...@domain.com > > > > Password: > > > > passdb: chekalin_...@ascon.ru auth succeeded > > > > extra fields: > > > > user=u...@domain.com > > > > proxy > > > > host=10.10.14.131 > > > > ssl=no > > > > startssl=no > > > > source_ip=10.10.14.2 > > > > proxy > > > > proxy > > > > pass=password > > > > > > > > Two "proxy" are from two "proxy" and "proxy=yes" settings passed from > > > > passdb. > > > > > > > > On Mon, Sep 17, 2018 at 3:03 PM Aki Tuomi > wrote: > > > > > > > > > Can you provide output of > > > > > > > > > > doveadm auth test some-user > > > > > Aki > > > > > > > > > > On 17.09.2018 14:58, Alexander Chekalin wrote: > > > > > > > > > > Dear Aki, > > > > > > > > > > we keep our users in LDAP so I when I even return 'proxy > > > host=backend_ip > > > > > tls=no' it won't use non-TLS connection. The same is when I remove > > > 'tls=no' > > > > > part. May there be any extra things I need to pass when I use LDAP? > > > > > > > > > > On Mon, Sep 17, 2018 at 2:07 PM Aki Tuomi > > > wrote: > > > > > > > > > >> > > > > >> > > > > >> On 17.09.2018 13:59, Alexander Chekalin wrote: > > > > >> > Hi, > > > > >> > > > > > >> > I try to set up dovecot as a proxy server, to proxy requests to > > > > >> > several dovecot-based backend servers. I wand external clients > who > > > > >> > connects to this proxy Dovecot to use TLS (this is easy to set > up) > > > > >> > while want to have unsecured (plain IMAP/POP) connections to > > > backends. > > > > >> > > > > > >> > You see, links to backends are over LAN so no TLS needed, and > these > > > > >> > backends are poor old machines (with old Docecots like 2.0.6) > this > > > is > > > > >> > why I don't want to use TLS to acces backends. > > > > >> > > > > > >> > But as I did the test setup I can see proxy Dovecot uses TLS to > > > > >> > connect to backends. Is there any way I can specify this aspect > of > > > > >> > Dovecot proxy? > > > > >> > > > > > >> > Please advice! > > > > >> > > > > > >> > Yours, > > > > >> > Alexander > > > > >> > > > > >> Dovecot does not use TLS/SSL when connecting to a backend server > by > > > > >> default, you are probably specifying this in your proxy config or > > > > >> password database. > > > > >> > > > > >> Aki > > > > >> > > > > > > > > > > > > > >
Re: Proxy secured incoming POP3/IMAP4 to unsecure backend?
https://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy For list of values you can use. Aki > On 17 September 2018 at 16:42 Aki Tuomi wrote: > > > The port is determined with port=nnn setting. You can't return per-protocol > port like that, you need to look at the protocol requested by user and return > port based on that, or you can omit port to default into "standard port". > > not using ssl/starttls is default. > > > On 17 September 2018 at 16:35 Alexander Chekalin > > wrote: > > > > > > Thank you! > > > > Ok, so I can omit ssl=no and startssl=no, and this results in default > > settings for ssl which is 'off'? Or the defaults are 'on' anyway? > > > > Can I somehow specify ports on remote hosts that proxy will use to connect > > to? Like (just image): 'proxy host_imap=10.1.1.1:143 host_pop=10.1.1.1:110' > > or somehow? > > > > > > > > > > On Mon, Sep 17, 2018 at 4:33 PM Aki Tuomi wrote: > > > > > Due to certain design issues, the ssl=no is actually same as ssl=yes, same > > > goes for starttls=no. So there is no support actually for "ssl=no" at this > > > moment. > > > > > > Aki > > > > > > > On 17 September 2018 at 15:32 Alexander Chekalin < > > > alexander.cheka...@gmail.com> wrote: > > > > > > > > > > > > Surely. > > > > > > > > Here it is: > > > > > > > > # doveadm auth u...@domain.com > > > > Password: > > > > passdb: chekalin_...@ascon.ru auth succeeded > > > > extra fields: > > > > user=u...@domain.com > > > > proxy > > > > host=10.10.14.131 > > > > ssl=no > > > > startssl=no > > > > source_ip=10.10.14.2 > > > > proxy > > > > proxy > > > > pass=password > > > > > > > > Two "proxy" are from two "proxy" and "proxy=yes" settings passed from > > > > passdb. > > > > > > > > On Mon, Sep 17, 2018 at 3:03 PM Aki Tuomi wrote: > > > > > > > > > Can you provide output of > > > > > > > > > > doveadm auth test some-user > > > > > Aki > > > > > > > > > > On 17.09.2018 14:58, Alexander Chekalin wrote: > > > > > > > > > > Dear Aki, > > > > > > > > > > we keep our users in LDAP so I when I even return 'proxy > > > host=backend_ip > > > > > tls=no' it won't use non-TLS connection. The same is when I remove > > > 'tls=no' > > > > > part. May there be any extra things I need to pass when I use LDAP? > > > > > > > > > > On Mon, Sep 17, 2018 at 2:07 PM Aki Tuomi > > > wrote: > > > > > > > > > >> > > > > >> > > > > >> On 17.09.2018 13:59, Alexander Chekalin wrote: > > > > >> > Hi, > > > > >> > > > > > >> > I try to set up dovecot as a proxy server, to proxy requests to > > > > >> > several dovecot-based backend servers. I wand external clients who > > > > >> > connects to this proxy Dovecot to use TLS (this is easy to set up) > > > > >> > while want to have unsecured (plain IMAP/POP) connections to > > > backends. > > > > >> > > > > > >> > You see, links to backends are over LAN so no TLS needed, and these > > > > >> > backends are poor old machines (with old Docecots like 2.0.6) this > > > is > > > > >> > why I don't want to use TLS to acces backends. > > > > >> > > > > > >> > But as I did the test setup I can see proxy Dovecot uses TLS to > > > > >> > connect to backends. Is there any way I can specify this aspect of > > > > >> > Dovecot proxy? > > > > >> > > > > > >> > Please advice! > > > > >> > > > > > >> > Yours, > > > > >> > Alexander > > > > >> > > > > >> Dovecot does not use TLS/SSL when connecting to a backend server by > > > > >> default, you are probably specifying this in your proxy config or > > > > >> password database. > > > > >> > > > > >> Aki > > > > >> > > > > > > > > > > > > >
Re: Proxy secured incoming POP3/IMAP4 to unsecure backend?
The port is determined with port=nnn setting. You can't return per-protocol port like that, you need to look at the protocol requested by user and return port based on that, or you can omit port to default into "standard port". not using ssl/starttls is default. > On 17 September 2018 at 16:35 Alexander Chekalin > wrote: > > > Thank you! > > Ok, so I can omit ssl=no and startssl=no, and this results in default > settings for ssl which is 'off'? Or the defaults are 'on' anyway? > > Can I somehow specify ports on remote hosts that proxy will use to connect > to? Like (just image): 'proxy host_imap=10.1.1.1:143 host_pop=10.1.1.1:110' > or somehow? > > > > > On Mon, Sep 17, 2018 at 4:33 PM Aki Tuomi wrote: > > > Due to certain design issues, the ssl=no is actually same as ssl=yes, same > > goes for starttls=no. So there is no support actually for "ssl=no" at this > > moment. > > > > Aki > > > > > On 17 September 2018 at 15:32 Alexander Chekalin < > > alexander.cheka...@gmail.com> wrote: > > > > > > > > > Surely. > > > > > > Here it is: > > > > > > # doveadm auth u...@domain.com > > > Password: > > > passdb: chekalin_...@ascon.ru auth succeeded > > > extra fields: > > > user=u...@domain.com > > > proxy > > > host=10.10.14.131 > > > ssl=no > > > startssl=no > > > source_ip=10.10.14.2 > > > proxy > > > proxy > > > pass=password > > > > > > Two "proxy" are from two "proxy" and "proxy=yes" settings passed from > > > passdb. > > > > > > On Mon, Sep 17, 2018 at 3:03 PM Aki Tuomi wrote: > > > > > > > Can you provide output of > > > > > > > > doveadm auth test some-user > > > > Aki > > > > > > > > On 17.09.2018 14:58, Alexander Chekalin wrote: > > > > > > > > Dear Aki, > > > > > > > > we keep our users in LDAP so I when I even return 'proxy > > host=backend_ip > > > > tls=no' it won't use non-TLS connection. The same is when I remove > > 'tls=no' > > > > part. May there be any extra things I need to pass when I use LDAP? > > > > > > > > On Mon, Sep 17, 2018 at 2:07 PM Aki Tuomi > > wrote: > > > > > > > >> > > > >> > > > >> On 17.09.2018 13:59, Alexander Chekalin wrote: > > > >> > Hi, > > > >> > > > > >> > I try to set up dovecot as a proxy server, to proxy requests to > > > >> > several dovecot-based backend servers. I wand external clients who > > > >> > connects to this proxy Dovecot to use TLS (this is easy to set up) > > > >> > while want to have unsecured (plain IMAP/POP) connections to > > backends. > > > >> > > > > >> > You see, links to backends are over LAN so no TLS needed, and these > > > >> > backends are poor old machines (with old Docecots like 2.0.6) this > > is > > > >> > why I don't want to use TLS to acces backends. > > > >> > > > > >> > But as I did the test setup I can see proxy Dovecot uses TLS to > > > >> > connect to backends. Is there any way I can specify this aspect of > > > >> > Dovecot proxy? > > > >> > > > > >> > Please advice! > > > >> > > > > >> > Yours, > > > >> > Alexander > > > >> > > > >> Dovecot does not use TLS/SSL when connecting to a backend server by > > > >> default, you are probably specifying this in your proxy config or > > > >> password database. > > > >> > > > >> Aki > > > >> > > > > > > > > > >
Re: Proxy secured incoming POP3/IMAP4 to unsecure backend?
Thank you! Ok, so I can omit ssl=no and startssl=no, and this results in default settings for ssl which is 'off'? Or the defaults are 'on' anyway? Can I somehow specify ports on remote hosts that proxy will use to connect to? Like (just image): 'proxy host_imap=10.1.1.1:143 host_pop=10.1.1.1:110' or somehow? On Mon, Sep 17, 2018 at 4:33 PM Aki Tuomi wrote: > Due to certain design issues, the ssl=no is actually same as ssl=yes, same > goes for starttls=no. So there is no support actually for "ssl=no" at this > moment. > > Aki > > > On 17 September 2018 at 15:32 Alexander Chekalin < > alexander.cheka...@gmail.com> wrote: > > > > > > Surely. > > > > Here it is: > > > > # doveadm auth u...@domain.com > > Password: > > passdb: chekalin_...@ascon.ru auth succeeded > > extra fields: > > user=u...@domain.com > > proxy > > host=10.10.14.131 > > ssl=no > > startssl=no > > source_ip=10.10.14.2 > > proxy > > proxy > > pass=password > > > > Two "proxy" are from two "proxy" and "proxy=yes" settings passed from > > passdb. > > > > On Mon, Sep 17, 2018 at 3:03 PM Aki Tuomi wrote: > > > > > Can you provide output of > > > > > > doveadm auth test some-user > > > Aki > > > > > > On 17.09.2018 14:58, Alexander Chekalin wrote: > > > > > > Dear Aki, > > > > > > we keep our users in LDAP so I when I even return 'proxy > host=backend_ip > > > tls=no' it won't use non-TLS connection. The same is when I remove > 'tls=no' > > > part. May there be any extra things I need to pass when I use LDAP? > > > > > > On Mon, Sep 17, 2018 at 2:07 PM Aki Tuomi > wrote: > > > > > >> > > >> > > >> On 17.09.2018 13:59, Alexander Chekalin wrote: > > >> > Hi, > > >> > > > >> > I try to set up dovecot as a proxy server, to proxy requests to > > >> > several dovecot-based backend servers. I wand external clients who > > >> > connects to this proxy Dovecot to use TLS (this is easy to set up) > > >> > while want to have unsecured (plain IMAP/POP) connections to > backends. > > >> > > > >> > You see, links to backends are over LAN so no TLS needed, and these > > >> > backends are poor old machines (with old Docecots like 2.0.6) this > is > > >> > why I don't want to use TLS to acces backends. > > >> > > > >> > But as I did the test setup I can see proxy Dovecot uses TLS to > > >> > connect to backends. Is there any way I can specify this aspect of > > >> > Dovecot proxy? > > >> > > > >> > Please advice! > > >> > > > >> > Yours, > > >> > Alexander > > >> > > >> Dovecot does not use TLS/SSL when connecting to a backend server by > > >> default, you are probably specifying this in your proxy config or > > >> password database. > > >> > > >> Aki > > >> > > > > > > >
Re: Proxy secured incoming POP3/IMAP4 to unsecure backend?
> On Sep 17, 2018, at 6:59 AM, Alexander Chekalin > wrote: > > Hi, > > I try to set up dovecot as a proxy server, to proxy requests to several > dovecot-based backend servers. I wand external clients who connects to this > proxy Dovecot to use TLS (this is easy to set up) while want to have > unsecured (plain IMAP/POP) connections to backends. > > You see, links to backends are over LAN so no TLS needed, and these backends > are poor old machines (with old Docecots like 2.0.6) this is why I don't want > to use TLS to acces backends. A better security practice would be to also use TLS to the backend. You want a defense in depth rather than a "crunchy shell around a soft, chewy center." Jim
Re: Proxy secured incoming POP3/IMAP4 to unsecure backend?
On 17.09.2018 13:59, Alexander Chekalin wrote: > Hi, > > I try to set up dovecot as a proxy server, to proxy requests to > several dovecot-based backend servers. I wand external clients who > connects to this proxy Dovecot to use TLS (this is easy to set up) > while want to have unsecured (plain IMAP/POP) connections to backends. > > You see, links to backends are over LAN so no TLS needed, and these > backends are poor old machines (with old Docecots like 2.0.6) this is > why I don't want to use TLS to acces backends. > > But as I did the test setup I can see proxy Dovecot uses TLS to > connect to backends. Is there any way I can specify this aspect of > Dovecot proxy? > > Please advice! > > Yours, > Alexander Dovecot does not use TLS/SSL when connecting to a backend server by default, you are probably specifying this in your proxy config or password database. Aki
