I’m in the process of setting up a Dovecot IMAP proxy to handle a number of 
IMAP server domains. At the current time, I have my users divided into 70 
different groups of users (call them G1 to G70). I want each group to configure 
their email client to access their mailboxes at a domain name based on the 
group they belong to (e.g., g1.example.com <http://g1.example.com/>, 
g2.example.com <http://g2.example.com/>, …, g70.example.com 
<http://g70.example.com/>). I will only support TLS encrypted IMAP connections 
to the Dovecot IMAP proxy (‘ssl=yes’ in the inet_listener). My SSL cert has 
alternate names for all 70 group domain names.

I want the group domain to only support users that have been assigned to the 
group the domain name represents. That is, a user assigned to G23 would only be 
allowed to configure their email client for the IMAP server named 
g23.example.com <http://g23.example.com/>. 

My solution during testing has been to have the Dovecot IMAP proxy to listen on 
different ports: 9930-9999. I plan to purchase 70 IPs, one for each group, and 
redirect traffic on port 993 to the appropriate Dovecot IMAP proxy port based 
on the IP I assign to the group domain name in the site’s DNS. The SQL for 
handling the IMAP login uses the port number of the inet_listener 

I think this could work in production, but it will cost me extra to rent the 70 
IPs and might be a pain to manage. Eventually, I would like to have over 5,000 
groups so requiring an IP per group is less than ideal. I also think having 
Dovecot IMAP proxy have 5,000 inet_listeners might not work so well or might 
create too many threads/processes/ports to fit on a small proxy server.

I would rather have 1 public IP for each Dovecot IMAP proxy and somehow 
communicate to the userdb which group domain name was configured in the email 
client so only the users assigned to this group can login with that username.

Anyone have any ideas?

For HTTP traffic, it is easy to query the host in the HTTP Request, but I don’t 
think IMAP traffic has such host info in it. Does the Dovecot IMAP proxy 
receive the hostname from the email client when exchanging SSL certs (like SNI 
for HTTPS)?

Or, maybe I should have group domain in the username used to log in with (e.g., 
username+...@example.com <mailto:username+...@example.com> or 
usern...@g23.example.com <mailto:usern...@g23.example.com>). I don’t like to 
make the user configure their email client to log in with a name that is 
different than their mailbox address. It is simpler to just have them configure 
their email client with usern...@example.com <mailto:usern...@example.com> for 
both authorization and for the from/sender headers in the messages. 

Anyway, any ideas of how to set this up in production?

Reply via email to