Re: Director & Master Users

2018-02-16 Thread Travis Dolan 
Hello Sami,

Thanks for the info. I have the following implemented and working.

I am only using the Director nodes to map users to the same backend server. I
perform all auth and message deliver/retrieval on the backend servers.

Director Nodes:

auth_master_user_separator = *

passdb {

driver = passwd-file

args = /etc/dovecot/conf.d/lasso-master-user-password

master = yes

pass = yes

}

passdb {

driver = static

args = proxy=y nopassword=y password=doesnotmatter

}

Backend Nodes:

auth_master_user_separator = *

passdb {

driver = passwd-file

args = /etc/dovecot/conf.d/master-user-password

master = yes

pass = yes

}

passdb {

driver = sql

args = /etc/dovecot/conf.d/sql.conf.ext

}

userdb {

driver = sql

args = /etc/dovecot/conf.d/sql.conf.ext

}

userdb {

driver=prefetch

}

I have read the docs that state configuring Director in this way can expose
the service to issues if large amounts of unknown user requests are sent to
the Director nodes. I can manage this risk by ensuring proper rate limiting is
in place in the load balancers in front of Director nodes.

I would love to hear your thoughts on the configuration.

Thank in advance.

  
On Feb 16 2018, at 3:02 am, Sami Ketola  wrote:  

>  

>

>  

>

>> On 15 Feb 2018, at 22.16, Travis Dolan
<[travis.do...@gmail.com](mailto:travis.do...@gmail.com)> wrote:

>>

>>  

>>

>> It would look as though the changes have now negatively affected a "normal"
user from logging in.

>>

>>  

>>

>> telnet host 143

>>

>> a login username password

>>

>>  

>>

>> a NO [AUTHENTICATIONFAILED] Authentication failed.

>>

>>  

>>

>> telnet host 143

>>

>> 1 login
[devteam*masteru...@example.com](mailto:devteam*masteru...@example.com)
password

>>

>>  

>>

>> 1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT
MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-
EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN
CONTEXT=SEARCH LIST-STATUS BINARY MOVE QUOTA] Logged in

>>

>>  

>>

>> What do you think?

>

>  

>

> So your director is the first entry point where the end users connect?

>

>  

>

> in that case your director should have passdb setup that verifies the user
password and then

>

> switches the session to use master password when forwarding the connection
to backend.

>

>  

>

> something like this in director:

>

>  

>

> passdb {

>

>   driver = passwd-file

>

>   args = /data/mail.passwd

>

>   result_success = continue-ok

>

> }

>

>  

>

> passdb {

>

>   driver = static

>

>   args = pass=masterpassword

>

>   skip = unauthenticated

>

> }

>

>  

>

>  

>

> and in backend:

>

>  

>

> passdb {

>

>   driver = static

>

>   args = password=masterpassword

>

> }

>

>  

>

> Sami

>

>  

>

>

Re: Director & Master Users

2018-02-15 Thread Sami Ketola 


> On 15 Feb 2018, at 22.16, Travis Dolan  wrote:
> 
> It would look as though the changes have now negatively affected a "normal" 
> user from logging in.
> 
> 
> telnet host 143
> 
> a login username password
> 
> 
> a NO [AUTHENTICATIONFAILED] Authentication failed.
> 
> 
> telnet host 143
> 
> 1 login devteam*masteru...@example.com password
> 
> 
> 1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
> SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT 
> MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS 
> LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN 
> CONTEXT=SEARCH LIST-STATUS BINARY MOVE QUOTA] Logged in
> 
> 
> What do you think?
> 

So your director is the first entry point where the end users connect?

in that case your director should have passdb setup that verifies the user 
password and then 
switches the session to use master password when forwarding the connection to 
backend.

something like this in director:

passdb {
  driver = passwd-file
  args = /data/mail.passwd
  result_success = continue-ok
}

passdb {
  driver = static
  args = pass=masterpassword 
  skip = unauthenticated
}


and in backend:

passdb {
  driver = static
  args = password=masterpassword
}

Sami

Re: Director & Master Users

2018-02-15 Thread Travis Dolan 
It would look as though the changes have now negatively affected a "normal"
user from logging in.

telnet host 143

a login username password

a NO [AUTHENTICATIONFAILED] Authentication failed.

telnet host 143

1 login devteam*masteru...@example.com password

1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT
MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-
EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN
CONTEXT=SEARCH LIST-STATUS BINARY MOVE QUOTA] Logged in

What do you think?

Thanks.

  
On Feb 15 2018, at 3:19 pm, Travis Dolan  wrote:  

> Awesome, thanks for the advice. Using the following now works...

>

> passdb {

>

> driver = static

>

> args = proxy=y password=doesnotmatter

>

> }

>

> Cheers.

>

>  
On Feb 15 2018, at 2:40 pm, Aki Tuomi  wrote:  

>

>> > On 15 February 2018 at 20:22 Travis Dolan  wrote:  
>  
>  
> Hello,  
>  
> I have Director setup to proxy requests to backend servers. This works fine  
> when using "standard" username/passwords.  
>  
> I am not try to enable the use of the Dovecot Master user through Director  
> into the backend servers.  
>  
> a.) username is being sent as masteruser*username  
> b.) request hits the proxy and authenticates, and then is passed to the  
> backend servers and fails auth.  
>  
> \- logs from proxy/Director point of view.  
>  
> auth: Info:  
> passwd-file(masteruser,172.31.33.224,master,): Master  
> user logging in as devteam  
>  
> imap-login: Info: proxy(devteam): Login failed to backend.servers:143  
> (master masteruser): [AUTHENTICATIONFAILED] Authentication failed.:  
> user=, method=PLAIN, rip=172.31.33.224, lip=192.168.71.20,  
> session= l6P+sHyHg>  
>  
> \- logs from backend server point of view.  
>  
> imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs):  
> user=, method=PLAIN, rip=192.168.71.20, lip=192.168.71.99,  
> session=  
>  
>  
> Proxy/Director Configs (hopefully this is enough)  
>  
> auth_master_user_separator = *  
> passdb {  
> driver = passwd-file  
> args = /etc/dovecot/conf.d/master-user-password  
> master = yes  
> pass = yes  
> }  
>  
> passdb {  
> driver = static  
> args = proxy=y nopassword=y  
> }  
>  
> Please let me know if I can provide any further details.  
>  
> Thanks in advance.

>>

>> You could consider using "master password" instead.

>>

>> This works so that you configure proxy to use pass=some_static_password as
the password forward, and you can then use static passdb in director, as in

>>

>> passdb {  
  driver = static  
  args = password=some_static_password   
}

>>

>> This way you don't need to setup master user authentication.

>>

>> Aki

Re: Director & Master Users

2018-02-15 Thread Travis Dolan 
Awesome, thanks for the advice. Using the following now works...

passdb {

driver = static

args = proxy=y password=doesnotmatter

}

Cheers.

  
On Feb 15 2018, at 2:40 pm, Aki Tuomi  wrote:  

> > On 15 February 2018 at 20:22 Travis Dolan  wrote:  
>  
>  
> Hello,  
>  
> I have Director setup to proxy requests to backend servers. This works fine  
> when using "standard" username/passwords.  
>  
> I am not try to enable the use of the Dovecot Master user through Director  
> into the backend servers.  
>  
> a.) username is being sent as masteruser*username  
> b.) request hits the proxy and authenticates, and then is passed to the  
> backend servers and fails auth.  
>  
> \- logs from proxy/Director point of view.  
>  
> auth: Info:  
> passwd-file(masteruser,172.31.33.224,master,): Master  
> user logging in as devteam  
>  
> imap-login: Info: proxy(devteam): Login failed to backend.servers:143  
> (master masteruser): [AUTHENTICATIONFAILED] Authentication failed.:  
> user=, method=PLAIN, rip=172.31.33.224, lip=192.168.71.20,  
> session= l6P+sHyHg>  
>  
> \- logs from backend server point of view.  
>  
> imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs):  
> user=, method=PLAIN, rip=192.168.71.20, lip=192.168.71.99,  
> session=  
>  
>  
> Proxy/Director Configs (hopefully this is enough)  
>  
> auth_master_user_separator = *  
> passdb {  
> driver = passwd-file  
> args = /etc/dovecot/conf.d/master-user-password  
> master = yes  
> pass = yes  
> }  
>  
> passdb {  
> driver = static  
> args = proxy=y nopassword=y  
> }  
>  
> Please let me know if I can provide any further details.  
>  
> Thanks in advance.

>

> You could consider using "master password" instead.

>

> This works so that you configure proxy to use pass=some_static_password as
the password forward, and you can then use static passdb in director, as in

>

> passdb {  
  driver = static  
  args = password=some_static_password   
}

>

> This way you don't need to setup master user authentication.

>

> Aki

Re: Director & Master Users

2018-02-15 Thread Aki Tuomi 

> On 15 February 2018 at 20:22 Travis Dolan  wrote:
> 
> 
> Hello,
> 
> I have Director setup to proxy requests to backend servers. This works fine
> when using "standard" username/passwords.
> 
> I am not try to enable the use of the Dovecot Master user through Director
> into the backend servers.
> 
> a.) username is being sent as masteruser*username
> b.) request hits the proxy and authenticates, and then is passed to the
> backend servers and fails auth.
> 
> - logs from proxy/Director point of view.
> 
> auth: Info:
> passwd-file(masteruser,172.31.33.224,master,): Master
> user logging in as devteam
> 
> imap-login: Info: proxy(devteam): Login failed to backend.servers:143
> (master masteruser): [AUTHENTICATIONFAILED] Authentication failed.:
> user=, method=PLAIN, rip=172.31.33.224, lip=192.168.71.20,
> session= l6P+sHyHg>
> 
> - logs from backend server point of view.
> 
> imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs):
> user=, method=PLAIN, rip=192.168.71.20, lip=192.168.71.99,
> session=
> 
> 
> Proxy/Director Configs (hopefully this is enough)
> 
> auth_master_user_separator = *
> passdb {
> driver = passwd-file
> args = /etc/dovecot/conf.d/master-user-password
> master = yes
> pass = yes
> }
> 
> passdb {
> driver = static
> args = proxy=y nopassword=y
> }
> 
> Please let me know if I can provide any further details.
> 
> Thanks in advance.

You could consider using "master password" instead.

This works so that you configure proxy to use pass=some_static_password as the 
password forward, and you can then use static passdb in director, as in

passdb {
  driver = static
  args = password=some_static_password 
}

This way you don't need to setup master user authentication.

Aki

Director & Master Users

2018-02-15 Thread Travis Dolan 
Hello,

I have Director setup to proxy requests to backend servers. This works fine
when using "standard" username/passwords.

I am not try to enable the use of the Dovecot Master user through Director
into the backend servers.

a.) username is being sent as masteruser*username
b.) request hits the proxy and authenticates, and then is passed to the
backend servers and fails auth.

- logs from proxy/Director point of view.

auth: Info:
passwd-file(masteruser,172.31.33.224,master,): Master
user logging in as devteam

imap-login: Info: proxy(devteam): Login failed to backend.servers:143
(master masteruser): [AUTHENTICATIONFAILED] Authentication failed.:
user=, method=PLAIN, rip=172.31.33.224, lip=192.168.71.20,
session=

- logs from backend server point of view.

imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs):
user=, method=PLAIN, rip=192.168.71.20, lip=192.168.71.99,
session=


Proxy/Director Configs (hopefully this is enough)

auth_master_user_separator = *
passdb {
driver = passwd-file
args = /etc/dovecot/conf.d/master-user-password
master = yes
pass = yes
}

passdb {
driver = static
args = proxy=y nopassword=y
}

Please let me know if I can provide any further details.

Thanks in advance.