subject:"Using both starttls and ssl in passdb on proxy results in timeouts"

Re: Using both starttls and ssl in passdb on proxy results in timeouts

2018-09-18 Thread Aki Tuomi

The problem is that due to how it was done some ages ago, the passdb
result items are treated so that presence means "use it". If you return
'proxy' it means same as 'proxy=y' or 'proxy=yes'.

We are considering on changing this so that it would actually require a
k=v type of syntax, but it's going to be a breaking change.

Aki


On 18.09.2018 11:33, Filias Heidt wrote:
> I tried some more things, such as setting starttls=NULL or ssl=NULL, which 
> does the same as setting it to „no“. Interestingly, if I set ssl=NULL and 
> don’t set starttls at all, it still tries an SSL connection to the backend. 
>
> Is there no way to use starttls or ssl depending on a variable? It could also 
> be possible that I have starttls-backends and ssl-backends which would be a 
> similar use-case to my sieve-thing, I think.
>
> Cheers,
> Filias
>
>> Am 17.09.2018 um 11:54 schrieb Filias Heidt :
>>
>> Hi List,
>>
>> I have a dovecot which proxies to different backends depending on an entry 
>> in a mysql-database. The mysql-query sets ‚ssl‘ to ‚any-cert‘ and this works 
>> fine. But this causes me a problem: sieve-backends only support STARTTLS and 
>> if I set ‚ssl‘ to ‚any-cert‘ (or yes), it will attempt a TLS-connection to 
>> the sieve-backends, which fails. 
>>
>> My attempt was to alter the query to include %{real_lport} and return 
>> ‚ssl=no‘ and ‚starttls=any-cert‘ if the port matches the sieve-port. It 
>> works as expected in that it returns the correct values and proxies to the 
>> correct backend. 
>>
>> However it seems that TLS is no longer working and I get timeouts from the 
>> backends.
>>
>> Debug: client passdb out: OK 1   user=someu...@example.com   proxy   
>> proxy_nopipelining=yhost=backend1.example.com   nodelay=y   
>> nologin starttls=no ssl=any-certhostip=so.me.i.ppass=
>>
>> results in:
>> Sep 17 11:08:47 imapproxy1 dovecot: imap-login: Error: 
>> proxy(someu...@example.com): Login for so.me.i.p:993 timed out in 
>> state=/none (after 30 secs, local=lo.cal.i.p:60524): 
>> user=, method=PLAIN, rip=re.mo.te.ip, lip=lo.cal.i.p, 
>> TLS, session=
>>
>> My query looks like this:
>> password_query = SELECT host from proxy_domain, NULL as password, 'y' as 
>> nopassword, 'y' as proxy, NULL as destuser, 'y' as proxy_nopipelining, 'y' 
>> as nodelay, 'y' as nologin, IF(%{real_lport}=4190, 'any-cert', 'no') as 
>> 'starttls', IF(%{real_lport}<>4190, 'any-cert', 'no') as 'ssl‘;
>>
>> As soon as I remove the starttls-part and the passdb only returns 
>> ssl=any-cert (without starttls=no) it works flawlessly.
>>
>> Is it possible that I am attacking the problem the wrong way? Or is it not 
>> possible to set both starttls and ssl to some values in passdb and 
>> enable/disable them as needed? 
>>
>> Thanks for any input :)
>>
>> Cheers,
>> Filias

Re: Using both starttls and ssl in passdb on proxy results in timeouts

2018-09-18 Thread Filias Heidt

I tried some more things, such as setting starttls=NULL or ssl=NULL, which does 
the same as setting it to „no“. Interestingly, if I set ssl=NULL and don’t set 
starttls at all, it still tries an SSL connection to the backend. 

Is there no way to use starttls or ssl depending on a variable? It could also 
be possible that I have starttls-backends and ssl-backends which would be a 
similar use-case to my sieve-thing, I think.

Cheers,
Filias

> Am 17.09.2018 um 11:54 schrieb Filias Heidt :
> 
> Hi List,
> 
> I have a dovecot which proxies to different backends depending on an entry in 
> a mysql-database. The mysql-query sets ‚ssl‘ to ‚any-cert‘ and this works 
> fine. But this causes me a problem: sieve-backends only support STARTTLS and 
> if I set ‚ssl‘ to ‚any-cert‘ (or yes), it will attempt a TLS-connection to 
> the sieve-backends, which fails. 
> 
> My attempt was to alter the query to include %{real_lport} and return 
> ‚ssl=no‘ and ‚starttls=any-cert‘ if the port matches the sieve-port. It works 
> as expected in that it returns the correct values and proxies to the correct 
> backend. 
> 
> However it seems that TLS is no longer working and I get timeouts from the 
> backends.
> 
> Debug: client passdb out: OK  1   user=someu...@example.com   proxy   
> proxy_nopipelining=yhost=backend1.example.com   nodelay=y   
> nologin starttls=no ssl=any-certhostip=so.me.i.ppass=
> 
> results in:
> Sep 17 11:08:47 imapproxy1 dovecot: imap-login: Error: 
> proxy(someu...@example.com): Login for so.me.i.p:993 timed out in state=/none 
> (after 30 secs, local=lo.cal.i.p:60524): user=, 
> method=PLAIN, rip=re.mo.te.ip, lip=lo.cal.i.p, TLS, 
> session=
> 
> My query looks like this:
> password_query = SELECT host from proxy_domain, NULL as password, 'y' as 
> nopassword, 'y' as proxy, NULL as destuser, 'y' as proxy_nopipelining, 'y' as 
> nodelay, 'y' as nologin, IF(%{real_lport}=4190, 'any-cert', 'no') as 
> 'starttls', IF(%{real_lport}<>4190, 'any-cert', 'no') as 'ssl‘;
> 
> As soon as I remove the starttls-part and the passdb only returns 
> ssl=any-cert (without starttls=no) it works flawlessly.
> 
> Is it possible that I am attacking the problem the wrong way? Or is it not 
> possible to set both starttls and ssl to some values in passdb and 
> enable/disable them as needed? 
> 
> Thanks for any input :)
> 
> Cheers,
> Filias

Using both starttls and ssl in passdb on proxy results in timeouts

2018-09-17 Thread Filias Heidt

Hi List,

I have a dovecot which proxies to different backends depending on an entry in a 
mysql-database. The mysql-query sets ‚ssl‘ to ‚any-cert‘ and this works fine. 
But this causes me a problem: sieve-backends only support STARTTLS and if I set 
‚ssl‘ to ‚any-cert‘ (or yes), it will attempt a TLS-connection to the 
sieve-backends, which fails. 

My attempt was to alter the query to include %{real_lport} and return ‚ssl=no‘ 
and ‚starttls=any-cert‘ if the port matches the sieve-port. It works as 
expected in that it returns the correct values and proxies to the correct 
backend. 

However it seems that TLS is no longer working and I get timeouts from the 
backends.

Debug: client passdb out: OK1   user=someu...@example.com   proxy   
proxy_nopipelining=yhost=backend1.example.com   nodelay=y   nologin 
starttls=no ssl=any-certhostip=so.me.i.ppass=

results in:
Sep 17 11:08:47 imapproxy1 dovecot: imap-login: Error: 
proxy(someu...@example.com): Login for so.me.i.p:993 timed out in state=/none 
(after 30 secs, local=lo.cal.i.p:60524): user=, 
method=PLAIN, rip=re.mo.te.ip, lip=lo.cal.i.p, TLS, 
session=

My query looks like this:
password_query = SELECT host from proxy_domain, NULL as password, 'y' as 
nopassword, 'y' as proxy, NULL as destuser, 'y' as proxy_nopipelining, 'y' as 
nodelay, 'y' as nologin, IF(%{real_lport}=4190, 'any-cert', 'no') as 
'starttls', IF(%{real_lport}<>4190, 'any-cert', 'no') as 'ssl‘;

As soon as I remove the starttls-part and the passdb only returns ssl=any-cert 
(without starttls=no) it works flawlessly.

Is it possible that I am attacking the problem the wrong way? Or is it not 
possible to set both starttls and ssl to some values in passdb and 
enable/disable them as needed? 

Thanks for any input :)

Cheers,
Filias

Re: Using both starttls and ssl in passdb on proxy results in timeouts

Re: Using both starttls and ssl in passdb on proxy results in timeouts

Using both starttls and ssl in passdb on proxy results in timeouts

3 matches

Site Navigation

Mail list logo

Footer information