I’m in the process of setting up a Dovecot IMAP proxy to handle a number of
IMAP server domains. At the current time, I have my users divided into 70
different groups of users (call them G1 to G70). I want each group to configure
their email client to access their mailboxes at a domain name based on the
group they belong to (e.g., g1.example.com <http://g1.example.com/>,
g2.example.com <http://g2.example.com/>, …, g70.example.com
<http://g70.example.com/>). I will only support TLS encrypted IMAP connections
to the Dovecot IMAP proxy (‘ssl=yes’ in the inet_listener). My SSL cert has
alternate names for all 70 group domain names.
I want the group domain to only support users that have been assigned to the
group the domain name represents. That is, a user assigned to G23 would only be
allowed to configure their email client for the IMAP server named
My solution during testing has been to have the Dovecot IMAP proxy to listen on
different ports: 9930-9999. I plan to purchase 70 IPs, one for each group, and
redirect traffic on port 993 to the appropriate Dovecot IMAP proxy port based
on the IP I assign to the group domain name in the site’s DNS. The SQL for
handling the IMAP login uses the port number of the inet_listener
I think this could work in production, but it will cost me extra to rent the 70
IPs and might be a pain to manage. Eventually, I would like to have over 5,000
groups so requiring an IP per group is less than ideal. I also think having
Dovecot IMAP proxy have 5,000 inet_listeners might not work so well or might
create too many threads/processes/ports to fit on a small proxy server.
I would rather have 1 public IP for each Dovecot IMAP proxy and somehow
communicate to the userdb which group domain name was configured in the email
client so only the users assigned to this group can login with that username.
Anyone have any ideas?
For HTTP traffic, it is easy to query the host in the HTTP Request, but I don’t
think IMAP traffic has such host info in it. Does the Dovecot IMAP proxy
receive the hostname from the email client when exchanging SSL certs (like SNI
Or, maybe I should have group domain in the username used to log in with (e.g.,
username+...@example.com <mailto:username+...@example.com> or
usern...@g23.example.com <mailto:usern...@g23.example.com>). I don’t like to
make the user configure their email client to log in with a name that is
different than their mailbox address. It is simpler to just have them configure
their email client with usern...@example.com <mailto:usern...@example.com> for
both authorization and for the from/sender headers in the messages.
Anyway, any ideas of how to set this up in production?