Dovecot Proxy with OAuth2 Setting Question

[梅津 晴康]

Hi

I'm setting up a Dovecot Proxy Server to access Gmail.
But It doesn’t work.

I tried to configure Dovecot without proxy authentication.

passdb {
  driver = static
  args = nopasssword=y proxy=y proxy_mech=xoauth2 ...
}

It works fine. So far so good.
But with proxy authentication It does not work.

Many clients don't support Oauth2, so Dovecot needs to authenticate for them.

Please tell me how to set up Dovecot Proxy with OAuth2.

Reference
https://doc.dovecot.org/configuration_manual/authentication/oauth2/

Dovecot 2.3.8

HAL Pyoco

Re: Local auth works with dovecot-proxy, remote does not

[Camilo Sperberg]

I think I have found the issue: I'm missing the auth_proxy_self setting:

https://doc.dovecot.org/configuration_manual/authentication/proxies/

When I set this to the IP of the server, it seems to perform the
authentication without issues for webmail as external clients such as
Thunderbird.

Greetings,
Camilo Sperberg

On Tue, Aug 24, 2021 at 2:37 PM Camilo Sperberg  wrote:

> Hi list!
>
> I've configured dovecot-proxy to redirect users to another server if their
> data is indeed on that other server.
>
> Webmail (which runs on the same machine) works perfectly fine, but clients
> such as Thunderbird and Outlook do not work as intended, I suspect it to be
> a problem with the IP that dovecot-proxy sees, but I can't figure out what
> is wrong: I've already done a lot of Googling and also tried to change the
> login_trusted_networks value, but to no avail.
>
> I've enabled debug log and here is the relevant part of a call that fails
> and another one that succeeds (FYI 10.164.0.3 is the machine that is doing
> the proxying and where webmail is located, 10.164.0.20 is the 'node', these
> logs come from that node, doveconf -n is also provided in the gist):
> https://gist.github.com/unreal4u/64de0f05b6e3b98034cdb0ae52ce1196
>
> So as far as I can interpret the logs, in the failure case it is basically
> saying it should go to the node, despite it already being on that node:
> Aug 24 11:29:07 mail-node-2 dovecot: auth: Debug: client passdb out:
> OK#0112#011user=m...@xx.xx
> #011host=10.164.0.20#011port=143#011proxy#011pass=
>
> In the success case, I don't see any mention of a proxy:
> Aug 24 11:35:21 mail-node-2 dovecot: auth: Debug: client passdb out:
> OK#0116#011user=m...@x.xx
>
>
> What am I missing here? Has this something to do with
> authentication-allow-nets or authentication-allow-real-nets ? If so: where
> to define it? Is there something else I'm missing?
>
> Thanks in advance for your help,
> Camilo Sperberg
>

Local auth works with dovecot-proxy, remote does not

[Camilo Sperberg]

Hi list!

I've configured dovecot-proxy to redirect users to another server if their
data is indeed on that other server.

Webmail (which runs on the same machine) works perfectly fine, but clients
such as Thunderbird and Outlook do not work as intended, I suspect it to be
a problem with the IP that dovecot-proxy sees, but I can't figure out what
is wrong: I've already done a lot of Googling and also tried to change the
login_trusted_networks value, but to no avail.

I've enabled debug log and here is the relevant part of a call that fails
and another one that succeeds (FYI 10.164.0.3 is the machine that is doing
the proxying and where webmail is located, 10.164.0.20 is the 'node', these
logs come from that node, doveconf -n is also provided in the gist):
https://gist.github.com/unreal4u/64de0f05b6e3b98034cdb0ae52ce1196

So as far as I can interpret the logs, in the failure case it is basically
saying it should go to the node, despite it already being on that node:
Aug 24 11:29:07 mail-node-2 dovecot: auth: Debug: client passdb out:
OK#0112#011user=m...@xx.xx
#011host=10.164.0.20#011port=143#011proxy#011pass=

In the success case, I don't see any mention of a proxy:
Aug 24 11:35:21 mail-node-2 dovecot: auth: Debug: client passdb out:
OK#0116#011user=m...@x.xx


What am I missing here? Has this something to do with
authentication-allow-nets or authentication-allow-real-nets ? If so: where
to define it? Is there something else I'm missing?

Thanks in advance for your help,
Camilo Sperberg

Re: Dovecot Proxy

[Thoralf Rickert-Wendt]

I think, I've got a response on Serverfault, that helps me and I like to 
give a complete example here. I was able to proxy IMAP and Submission 
with the following settings:


dovecot.conf:

ssl_cert = password_query = SELECT NULL as password, 'y' as nopassword, 'y' as 
proxy, NULL as destuser, 'y' as proxy_nopipelining, host, 'y' as 
nodelay, 'y' as nologin, 'any-cert' a

s 'starttls' FROM proxy_domain WHERE domain = '%d';

# eof


The solution is to not use SSL but STARTTLS/TLS for all protocols.

Would it be a good idea, to write that into the documentation?

bye
Thoralf


Am 01.09.20 um 13:59 schrieb Thoralf Rickert-Wendt:


Hi Philon,

now, it's time for "Mahlzeit" ;-)

Sorry, that I read the wiki1 instead of wiki2. I thought the 1 means 
that it is server one of ... my fault. Also not reading the first line 
above the menu. My focus was really on the content. ;-)


Also my problem with the doc of Dovecot2 proxy is, that the document 
https://doc.dovecot.org/configuration_manual/authentication/proxies/ 
has less details for a domain only example. That works as in the 
Dovecot1 doc, but it isn't documented anymore. Also the location under 
"authentication" chapter in the Wiki didn't tell me, that this is the 
"new Dovecot proxy documentation". I thought, this was only related to 
authentication issues. I would recommend to either restructure the 
wiki2, that it makes it more clear to the user or make some notes on 
https://doc.dovecot.org/admin_manual/dovecot_proxy/ and link to the 
passdb setting on 
https://doc.dovecot.org/configuration_manual/forwarding_parameters/ 
and 
https://doc.dovecot.org/configuration_manual/authentication/proxies/. 
Maybe there are other documents related to Proxy too, like the SNI 
settings etc. But maybe I'm the only one on the planet, that tries to 
use that. It feels a little bit like that.


The Director would be interesting, if all the mailservers in the 
backend would know each other. But thats not the case. Mailserver A 
and Mailserver B are hosting complete different domains with a 
complete different user list and complete different user admins, etc. 
Also mailcow doesnt enabled the director. So it will not help much. 
But it could be interesting, if I have multiple proxies.


Yes, the submission service inside Dovecot is there. And I tried to 
avoid to install multiple "programs" and if there is one "program" 
that handles it all, why don't use it. And I'd like to quote the first 
line of the Dovecot proxy doc: "Dovecot supports proxying IMAP, POP3, 
Submission Server 
<https://doc.dovecot.org/admin_manual/submission_server/#submission-server>, 
LMTP Server 
<https://doc.dovecot.org/configuration_manual/protocols/lmtp_server/#lmtp-server>, 
and Pigeonhole ManageSieve Server 
<https://doc.dovecot.org/admin_manual/pigeonhole_managesieve_server/#pigeonhole-managesieve-server> 
connections to other hosts.".


Also I tried to open the Dovecot authentication mechanism for postfix 
(for submission) with



service auth {
  user = root
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}

And on Postfix part with

smtpd_sasl_auth_enabled = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

But the postfix login is always accepted (even with wrong passwords) 
and after I start to write a Mail the connection get lost after RCPT 
command. There is another problem. Before I infestigate it, I would 
try my luck with Dovecot. It is already asking the correct backend 
submission server but with SSL on a non-SSL port.


So - someone included the Submission protocol in Dovecot and someone 
wrote, that the submission could be proxied - but - its not completly 
documented or "it doesn't work" within a SSL environment. I searched 
for a simple example, where IMAP and POP3 are proxied via SSL and 
Submission too (which would mean, that Dovecot submission listens on 
465) or via STARTTLS on 587 and redirecting it also to STARTTLS/587. 
But I didn't find anything. Also the submission documentation doesnt 
help, because I cant see any line of configuration file in it.


Ok, but first - lunchtime.

bye
Thoralf

Am 01.09.20 um 09:43 schrieb Philon:

Hi Thoralf,

I’d say first of all you should read the current docs for 2.x not the archived 
stuff. —>https://wiki2.dovecot.org/  - (It’s even mentioned in bold in the 
header)

Then to front multiple backends perhaps you want to take a look at Dovecot 
Director. —>https://wiki2.dovecot.org/Director

About SMTP I’m not sure why you would want to rely on Dovecot for that. I only 
do Postfix with Dovecot as auth backend so they can share passdb access. When 
you have 465 set up it is no big deal to also enable 587 in Postfixs master.cf.

If you want to keep Dovecot for Submission you can check the latest docs for 
Dovecot submission 
service:https://doc.dovecot.org/admin_manual

Re: Dovecot Proxy

[@lbutlr]

On 31 Aug 2020, at 03:33, Thoralf Rickert-Wendt  wrote:
> documentation https://wiki1.dovecot.org/HowTo/ImapProxy (which is really old 
> and should be updated)

That is documentation for Dovecott version 1 (that's the 1 in wiki1).

Other than that, I can't help you, but this documentation is aboslitley not 
relevant to version 2.x. This might help: 



(I don't know why it is Imapc Proxy, but so it goes)





-- 
"Are you pondering what I'm pondering?"
Pinky: (talking to his reflection in the mirror) Pinky, are you
pondering what I'm pondering?
Pinky's Reflection: Why, yes,
Pinky! Yes, I am! But where would you get a chicken, 20 yards of
spandex and smelling salts at this hour?

Re: Dovecot Proxy

[Thoralf Rickert-Wendt]

Hi Philon,

now, it's time for "Mahlzeit" ;-)

Sorry, that I read the wiki1 instead of wiki2. I thought the 1 means 
that it is server one of ... my fault. Also not reading the first line 
above the menu. My focus was really on the content. ;-)


Also my problem with the doc of Dovecot2 proxy is, that the document 
https://doc.dovecot.org/configuration_manual/authentication/proxies/ has 
less details for a domain only example. That works as in the Dovecot1 
doc, but it isn't documented anymore. Also the location under 
"authentication" chapter in the Wiki didn't tell me, that this is the 
"new Dovecot proxy documentation". I thought, this was only related to 
authentication issues. I would recommend to either restructure the 
wiki2, that it makes it more clear to the user or make some notes on 
https://doc.dovecot.org/admin_manual/dovecot_proxy/ and link to the 
passdb setting on 
https://doc.dovecot.org/configuration_manual/forwarding_parameters/ and 
https://doc.dovecot.org/configuration_manual/authentication/proxies/. 
Maybe there are other documents related to Proxy too, like the SNI 
settings etc. But maybe I'm the only one on the planet, that tries to 
use that. It feels a little bit like that.


The Director would be interesting, if all the mailservers in the backend 
would know each other. But thats not the case. Mailserver A and 
Mailserver B are hosting complete different domains with a complete 
different user list and complete different user admins, etc. Also 
mailcow doesnt enabled the director. So it will not help much. But it 
could be interesting, if I have multiple proxies.


Yes, the submission service inside Dovecot is there. And I tried to 
avoid to install multiple "programs" and if there is one "program" that 
handles it all, why don't use it. And I'd like to quote the first line 
of the Dovecot proxy doc: "Dovecot supports proxying IMAP, POP3, 
Submission Server 
<https://doc.dovecot.org/admin_manual/submission_server/#submission-server>, 
LMTP Server 
<https://doc.dovecot.org/configuration_manual/protocols/lmtp_server/#lmtp-server>, 
and Pigeonhole ManageSieve Server 
<https://doc.dovecot.org/admin_manual/pigeonhole_managesieve_server/#pigeonhole-managesieve-server> 
connections to other hosts.".


Also I tried to open the Dovecot authentication mechanism for postfix 
(for submission) with



service auth {
  user = root
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}

And on Postfix part with

smtpd_sasl_auth_enabled = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

But the postfix login is always accepted (even with wrong passwords) and 
after I start to write a Mail the connection get lost after RCPT 
command. There is another problem. Before I infestigate it, I would try 
my luck with Dovecot. It is already asking the correct backend 
submission server but with SSL on a non-SSL port.


So - someone included the Submission protocol in Dovecot and someone 
wrote, that the submission could be proxied - but - its not completly 
documented or "it doesn't work" within a SSL environment. I searched for 
a simple example, where IMAP and POP3 are proxied via SSL and Submission 
too (which would mean, that Dovecot submission listens on 465) or via 
STARTTLS on 587 and redirecting it also to STARTTLS/587. But I didn't 
find anything. Also the submission documentation doesnt help, because I 
cant see any line of configuration file in it.


Ok, but first - lunchtime.

bye
Thoralf

Am 01.09.20 um 09:43 schrieb Philon:

Hi Thoralf,

I’d say first of all you should read the current docs for 2.x not the archived 
stuff. —> https://wiki2.dovecot.org/ - (It’s even mentioned in bold in the 
header)

Then to front multiple backends perhaps you want to take a look at Dovecot 
Director. —> https://wiki2.dovecot.org/Director

About SMTP I’m not sure why you would want to rely on Dovecot for that. I only 
do Postfix with Dovecot as auth backend so they can share passdb access. When 
you have 465 set up it is no big deal to also enable 587 in Postfixs master.cf.

If you want to keep Dovecot for Submission you can check the latest docs for 
Dovecot submission service: 
https://doc.dovecot.org/admin_manual/submission_server/. It has a relay server 
option with port. Also settings for STARTTLS etcpp can be found there.


Mahlzeit!

Philon


On 31 Aug 2020, at 11:33, Thoralf Rickert-Wendt  wrote:

Hello everyone,

it's my first post here on this mailing list and I hope, I make it right.

I posted a question on 
https://serverfault.com/questions/1031441/dovecot-as-proxy-with-submission and 
nobody was able to answer it. So I decided to push that question here (I'm 
talking about any new dovecot version and I've tested it with 2.3.4.1 
(f79e8e7e4)).

I try to run a dovecot proxy in front of a big number of mail servers (serving SM

Re: Dovecot Proxy

[Philon]

Hi Thoralf,

I’d say first of all you should read the current docs for 2.x not the archived 
stuff. —> https://wiki2.dovecot.org/ - (It’s even mentioned in bold in the 
header)

Then to front multiple backends perhaps you want to take a look at Dovecot 
Director. —> https://wiki2.dovecot.org/Director

About SMTP I’m not sure why you would want to rely on Dovecot for that. I only 
do Postfix with Dovecot as auth backend so they can share passdb access. When 
you have 465 set up it is no big deal to also enable 587 in Postfixs master.cf.

If you want to keep Dovecot for Submission you can check the latest docs for 
Dovecot submission service: 
https://doc.dovecot.org/admin_manual/submission_server/. It has a relay server 
option with port. Also settings for STARTTLS etcpp can be found there.


Mahlzeit!

Philon

> On 31 Aug 2020, at 11:33, Thoralf Rickert-Wendt  wrote:
> 
> Hello everyone,
> 
> it's my first post here on this mailing list and I hope, I make it right.
> 
> I posted a question on 
> https://serverfault.com/questions/1031441/dovecot-as-proxy-with-submission 
> and nobody was able to answer it. So I decided to push that question here 
> (I'm talking about any new dovecot version and I've tested it with 2.3.4.1 
> (f79e8e7e4)).
> 
> I try to run a dovecot proxy in front of a big number of mail servers 
> (serving SMTP-in, submission, IMAP, POP3, Sieve). I need that proxy, because 
> I run out of IPv4 addresses. Of course I use IPv6 too, but many customers 
> still have problems with there providers and they really don't want to share 
> their mails on a "shared-mailserver". I planed to use Dovecot for IMAPS, 
> POP3S, SMTP-submission(465) and postfix for the rest. If I find a solution 
> for sieve, I would try that too, but that is very optional.
> 
> With the documentation https://wiki1.dovecot.org/HowTo/ImapProxy (which is 
> really old and should be updated) and some other ascii docs (from an Apple 
> mirror somewhere deep in the web) I was able to build a IMAP/POP3 proxy that 
> forwards requests from outside to a specific backend using SSL (993,995). 
> That works - I think.You can find the config on the serverfault page.
> 
> In general - all known domains in backend are using SSL and the passdb 
> forwards all requests to the backend via SSL. So - I understand:||
> 
> |password_query =
>   SELECT
> NULL AS password,
> NULL AS destuser,
> host,
> 'Y' AS nologin,
> 'Y' AS nodelay,
> 'Y' AS nopassword,
> 'Y' AS proxy,
> 'any-cert' AS `ssl`
>   FROM
> proxy_domain
>   WHERE
> domain = '%d' |
> 
> But that is only 50% of the show. The rest ist submission (and maybe sieve). 
> Practically the submission implementation in dovecot works too. But because 
> dovecot by default only opens port 587 (starttls), my passdb setting has a 
> problem.
> 
> When I try to use that port Dovecot tries to use SSL on the backend/587 too - 
> but that is wrong (it should either use 465 or should try to use starttls).
> 
> So, I have the following options.
> 
> - find a way to configure dovecot-proxy to listen on 465 with SSL for 
> submission service and hope that it uses the same port
>   - but I didn't find any documentation for that and need help
> 
> - find a way to configure dovecot-proxy/passdb to return starttls=y when 
> dovecot-submission is used (use a different passdb)
>   - but I didn't find any documentation for that and I'm not sure, if this 
> worls on service/protocol level
> 
> - find a way to configure the passdb answer based on the used port/protocol. 
> But I only know the parameter %u, %d and %p.
>   - so it would be nice to find a way to also select the protocol (if already 
> developed)
> 
> - find a way to make a patch in dovecot (which isn't easy for me, because I 
> don't really know the code)
> 
> Has somebody an idea, how I can configure the dovecot-proxy in that way.
> 
> bye
> Thoralf
> 
> 

Dovecot Proxy

[Thoralf Rickert-Wendt]

Hello everyone,

it's my first post here on this mailing list and I hope, I make it right.

I posted a question on 
https://serverfault.com/questions/1031441/dovecot-as-proxy-with-submission 
and nobody was able to answer it. So I decided to push that question 
here (I'm talking about any new dovecot version and I've tested it with 
2.3.4.1 (f79e8e7e4)).


I try to run a dovecot proxy in front of a big number of mail servers 
(serving SMTP-in, submission, IMAP, POP3, Sieve). I need that proxy, 
because I run out of IPv4 addresses. Of course I use IPv6 too, but many 
customers still have problems with there providers and they really don't 
want to share their mails on a "shared-mailserver". I planed to use 
Dovecot for IMAPS, POP3S, SMTP-submission(465) and postfix for the rest. 
If I find a solution for sieve, I would try that too, but that is very 
optional.


With the documentation https://wiki1.dovecot.org/HowTo/ImapProxy (which 
is really old and should be updated) and some other ascii docs (from an 
Apple mirror somewhere deep in the web) I was able to build a IMAP/POP3 
proxy that forwards requests from outside to a specific backend using 
SSL (993,995). That works - I think.You can find the config on the 
serverfault page.


In general - all known domains in backend are using SSL and the passdb 
forwards all requests to the backend via SSL. So - I understand:||


|password_query =
  SELECT
    NULL AS password,
    NULL AS destuser,
    host,
    'Y' AS nologin,
    'Y' AS nodelay,
    'Y' AS nopassword,
    'Y' AS proxy,
    'any-cert' AS `ssl`
  FROM
    proxy_domain
  WHERE
    domain = '%d' |

But that is only 50% of the show. The rest ist submission (and maybe 
sieve). Practically the submission implementation in dovecot works too. 
But because dovecot by default only opens port 587 (starttls), my passdb 
setting has a problem.


When I try to use that port Dovecot tries to use SSL on the backend/587 
too - but that is wrong (it should either use 465 or should try to use 
starttls).


So, I have the following options.

- find a way to configure dovecot-proxy to listen on 465 with SSL for 
submission service and hope that it uses the same port

  - but I didn't find any documentation for that and need help

- find a way to configure dovecot-proxy/passdb to return starttls=y when 
dovecot-submission is used (use a different passdb)
  - but I didn't find any documentation for that and I'm not sure, if 
this worls on service/protocol level


- find a way to configure the passdb answer based on the used 
port/protocol. But I only know the parameter %u, %d and %p.
  - so it would be nice to find a way to also select the protocol (if 
already developed)


- find a way to make a patch in dovecot (which isn't easy for me, 
because I don't really know the code)


Has somebody an idea, how I can configure the dovecot-proxy in that way.

bye
Thoralf

Dovecot Proxy - Oauth2 mech add custom fields

[Domenico Pastore]

Hi,

I have a problem with configuring dovecot passdb for Oauth2 with keyclock.
A user can access more mailbox, mailboxes are associated with the user.

When a user login with this method:

OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ 
AUTH=PLAIN] Dovecot ready.
a login mailbox*user password

Dovecot when requiring the grant_url send to Keyclock, for example, this post 
(I have already enabled raw_log for analysis):

grant_type=password=domenico=test_id=imap-client_secret=99e26b26-0f2a-4b64-8f57-c0ca2147d3a0=emailPOST
 /auth/realms/example/protocol/openid-connect/token/introspect

The call pass to Keyclock only master_user and miss mailbox info.
In fact, the JSON response after login return the only username without mailbox:

[...]
  "scope": "profile email",
  "email_verified": false,
  "preferred_username": "dome.nico"
[...]

When Dovecot proxy connects to the backend, email attribute and user have the 
same value, master-user. 
This behavior is a problem because when backend tries login access, login with 
the user and not with the mailbox.

This is backend logging:

2020-02-13 19:34:13 auth: Debug: client passdb out: OK  1   user=domenico  
token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYVy1fSmNnVkF3aW9GUXh1NUhwdjVlbk5uNU8zaW42Y1VpaGJsM2dWX0V3In0.eyJqdGkiOiJhYTMwZ
Dk0Yy0xNjE0LTQzN2QtOTA5Zi01ZTAwNGQ2YjNmZTIiLCJleHAiOjE1ODE2MTE5NTQsIm5iZiI6MCwiaWF0IjoxNTgxNjExNjU0LCJpc3MiOiJodHRwczovL2tleWNsb2FrLXBlYy1pYW0ucGVjLWFwcHMucGFyLXRlYy5pdC9hdXRoL3JlYWxtcy9wZWMiLCJhdWQiOiJhY2NvdW50Iiwi
c3ViIjoiZjphNTA1NWUzMi1lYzhkLTRmZjgtOWZjNS00ODM4MmQ1MzRhODc6ZG9tZS5uaWNvIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiaW1hcC1jbGllbnQiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiIyN2M0ZDMzYy01YjdlLTQzMWMtYjZmMi0yYmI4NjIzYzMyMjkiLCJ
hY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2
ZpbGUiXX19LCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6ImRvbWUubmljbyJ9.LlIx-QeRQPr3lK4Cs1vU0qMvHF3uq3h15BGi1atNCBASkM6oPoYWLV-sYdf8hzpRFyOaTcbxN53SN6LfD0hHvUZ2sKHxh7UJ
idmxS4hf1SsZq8wJTASpebcPLtBIX5JBvXmpxa-cVnZDE1JVw5np5-LLNs0j4sgHwgg85mJEoE2VmYJzbGZjUsSTvaAAoCbvTA0MfsNoKyq0E5JrLVdkI-twX7HjAESFqFD4yHe7BS4FG_UjddrSr3uXmXreB44VLZ8B4xBgVRjK9K-sjjkXT8Bkv8WbxUdEEHaarWU_qanI5DlhA0CZXlJ
CyDsNcRwQfwVHOESxXE7ehgIDPm-NjA

I have a mechanism for adding other attributes with Dovecot when calling 
Keyclock? This for insert email or other fields into the token.

Thanks all,
Domenico

———
Dovecot Frontend

# 2.3.9.2 (cf2918cac): /config/dovecot/dovecot-proxy/dovecot.conf
# OS: Linux 3.10.0-693.17.1.el7.x86_64 x86_64 CentOS Linux release 7.4.1708 
(Core)  
# Hostname: fe-new.example.it
auth_debug = yes
auth_debug_passwords = yes
auth_master_user_separator = *
auth_verbose = yes
auth_verbose_passwords = yes
base_dir = /data/dovecot/var/run/dovecot-proxy
default_vsz_limit = 768 M
disable_plaintext_auth = no
first_valid_gid = 101
first_valid_uid = 102
imap_id_send = 
import_environment = TZ MASTERPWD
info_log_path = /LOGS/imap/dovecot-proxy.log
instance_name = dovecot-proxy
listen = fe-new_imap
log_path = /LOGS/imap/dovecot-proxy.log
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_gid = 101
mail_location = maildir:%h/Maildir
mail_max_userip_connections = 50
mail_plugins = quota expire mail_log notify
mail_uid = 102
maildir_broken_filename_sizes = yes
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix = INBOX.
  separator = .
  subscriptions = yes
  type = private
}
passdb {
  args = /config/dovecot/dovecot-proxy/dovecot-oauth2.conf
  driver = oauth2
  master = yes
  mechanisms = plain login
}
plugin {
  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
  mail_log_fields = uid box msgid size
}
postmaster_address = po...@foo.it
protocols = imap pop3
service anvil {
  client_limit = 3000
}
service auth {
  client_limit = 4096
  unix_listener auth-userdb {
mode = 0600
  }
}
service imap-login {
  inet_listener imap {
port = 0
  }
  inet_listener imaps {
port = 993
ssl = yes
  }
  process_limit = 2500
  process_min_avail = 5
}
service imap {
  drop_priv_before_exec = yes
  process_limit = 2500
  process_min_avail = 5
}
service lmtp {
  inet_listener lmtp {
port = 24
  }
}
service managesieve-login {
  inet_listener sieve {
port = 4190
  }
  process_min_avail = 0
  service_count = 1
  vsz_limit = 64 M
}
service managesieve {
  drop_priv_before_exec = yes
  process_limit = 1024
}
service pop3-login {
  inet_listener pop3 {
port = 0
  }
  inet_l

Re[2]: Dovecot proxy: authentication best practices

[William Edwards]

Hi Aki,

> 1.1 If I understand correctly, setting 'nopassword' in the proxy passdb file, 
> authentication is completely up to the destination host. Setting 'nopassword' 
> in no way means the proxy becomes an open relay. Is this correct?
> You still control where it proxies to.
> 1.2 Are there any security implications when using 'nopassword' on the proxy?
> As long as its really a proxy, probably no.

Ok, so assuming proper authentication is configured on the destination host, 
the answer to 1.1 is 'yes' and the answer to 1.2 is 'no'.

> userdb is ignored on proxies. For your usecase try following
> and into domains.passwd

Ah, yes, of course. I forgot Dovecot supports multiple passdb backends. I have 
added the domains.passwd backend as a fallback.

Thanks!


Met vriendelijke groeten,

William Edwards
T. 040 - 711 44 96
E. wedwa...@cyberfusion.nl




 
- Original Message -
From: Aki Tuomi (aki.tu...@open-xchange.com)
Date: 12/27/19 17:42
To: William Edwards (wedwa...@cyberfusion.nl), dovecot (dovecot@dovecot.org)
Subject: Re: Dovecot proxy: authentication best practices


On 27/12/2019 16:02 William Edwards  wrote:


Hi!

I have a few questions regarding Dovecot proxy:

1.
1.1 If I understand correctly, setting 'nopassword' in the proxy passdb file, 
authentication is completely up to the destination host. Setting 'nopassword' 
in no way means the proxy becomes an open relay. Is this correct?


You still control where it proxies to.

1.2 Are there any security implications when using 'nopassword' on the proxy?


As long as its really a proxy, probably no.

2.
2.1 I would like to avoid having to store all users in a passdb file on the 
proxy. I would much rather specify a domain for which Dovecot proxy will route 
all users to a specific host. Is there a way to let Dovecot proxy route to a 
destination host based on domain, so individual users don't have to be 
specified in the proxy passdb?
2.2 Is it correct that userdb does not have any effect on proxying and it can 
be left out of the config? Source: 
https://dovecot.org/pipermail/dovecot/2013-October/093138.html (point 2)

userdb is ignored on proxies. For your usecase try following

passdb {
  driver = passwd-file
  args = username_format=%Ld /etc/dovecot/domains.passwd
}

and into domains.passwd

domain.com::: nopassword proxy host=host1

colon count might be wrong

Met vriendelijke groeten,

William Edwards
T. 040 - 711 44 96
E. wedwa...@cyberfusion.nl

---
Aki Tuomi

Re: Dovecot proxy: authentication best practices

[Aki Tuomi]

 
 
  
   
  
  
   
On 27/12/2019 16:02 William Edwards  wrote:
   
   

   
   

   
   

 Hi!


 


 I have a few questions regarding Dovecot proxy:


 


 1.


 1.1 If I understand correctly, setting 'nopassword' in the proxy passdb file, authentication is completely up to the destination host. Setting 'nopassword' in no way means the proxy becomes an open relay. Is this correct?

   
  
  
   
  
  
   You still control where it proxies to.
  
  
   

 1.2 Are there any security implications when using 'nopassword' on the proxy?


   
  
  
   
  
  
   As long as its really a proxy, probably no.
  
  
   

 2.


 2.1 I would like to avoid having to store all users in a passdb file on the proxy. I would much rather specify a domain for which Dovecot proxy will route all users to a specific host. Is there a way to let Dovecot proxy route to a destination host based on domain, so individual users don't have to be specified in the proxy passdb?


 2.2 Is it correct that userdb does not have any effect on proxying and it can be left out of the config? Source: https://dovecot.org/pipermail/dovecot/2013-October/093138.html (point 2)

   
  
  
   userdb is ignored on proxies. For your usecase try following
  
  
   
  
  
   passdb {
  
  
     driver = passwd-file
  
  
     args = username_format=%Ld /etc/dovecot/domains.passwd
  
  
   }
  
  
   
  
  
   and into domains.passwd
  
  
   
  
  
   domain.com::: nopassword proxy host=host1
  
  
   
  
  
   colon count might be wrong
  
  
   

 
 
  Met vriendelijke groeten,
 
 
  
 
 
  William Edwards
 T. 040 - 711 44 96
 
  E. wedwa...@cyberfusion.nl
 

   
  
  
   ---
Aki Tuomi
   
 

Dovecot proxy: authentication best practices

[William Edwards]

Hi!

I have a few questions regarding Dovecot proxy:

1.
1.1 If I understand correctly, setting 'nopassword' in the proxy passdb file, 
authentication is completely up to the destination host. Setting 'nopassword' 
in no way means the proxy becomes an open relay. Is this correct?
1.2 Are there any security implications when using 'nopassword' on the proxy?

2.
2.1 I would like to avoid having to store all users in a passdb file on the 
proxy. I would much rather specify a domain for which Dovecot proxy will route 
all users to a specific host. Is there a way to let Dovecot proxy route to a 
destination host based on domain, so individual users don't have to be 
specified in the proxy passdb?
2.2 Is it correct that userdb does not have any effect on proxying and it can 
be left out of the config? Source: 
https://dovecot.org/pipermail/dovecot/2013-October/093138.html (point 2)


Met vriendelijke groeten,

William Edwards
T. 040 - 711 44 96
E. wedwa...@cyberfusion.nl




 

Re: About "received" header when using Dovecot proxy

[Riku via dovecot]

Hello.

Sorry.
Organize and describe what I want to do.
There may be no unity, but please forgive me.
Also, I'm not good at English, so I'm sorry if it's difficult to understand.

1. I had to create a proxy server for an external SMTP server (here, 
“smtp.example.com” as an example).
So I decided to use Dovecot installed on my server (in this example, 
“my-server.com”).
2. Therefore, the following settings were created.

- /etc/dovecot/conf.d/10-auth.conf -
auth_mechanisms = plain login cram-md5 apop
!include auth-static.conf.ext


- /etc/dovecot/conf.d/auth-static.conf.ext -
passdb {
  driver = static
  args = proxy=y nopassword=y
  default_fields = destuser=%u nologin=y starttls=any-cert
}

userdb {
  driver = static
  args = uid=mail gid=mail /home=/dev/null
}


- /etc/dovecot/conf.d/10-ssl.conf -
ssl = yes
ssl_cert = ]) ...

I want the IP address of the sender (my computer here) to be displayed properly 
in the contents of this "received" like this.

Received: from riku22.net (x.bbtec.net [126.125.xxx.xxx])


Is there any way?

Best regards.

Re: About "received" header when using Dovecot proxy

[Aki Tuomi via dovecot]

On 4.12.2019 15.33, Riku via dovecot wrote:
> Hello.
>
> Sorry.
> Since 2.3.9 was released, I installed it immediately and tried to set 
> "lmtp_add_received_header" to "no".
> But it seems different from what I wanted to do.
> The following is my configuration file.
> Please let me know if there are any other configuration files that need to be 
> listed.
> Is there any way to avoid adding it to the “received” header?
>
> - 20-submission.conf -
> submission_client_workarounds = whitespace-before-path mailbox-for-path
>
> protocol submission {
>   passdb {
> driver = static
> args = proxy=y host=smtp.example.com nopassword=y
>   }
> }
> 
>
> Best regards.


So... what did it do and what did you expect it to do?

Aki

Re: About "received" header when using Dovecot proxy

[Riku via dovecot]

Hello.

Sorry.
Since 2.3.9 was released, I installed it immediately and tried to set 
"lmtp_add_received_header" to "no".
But it seems different from what I wanted to do.
The following is my configuration file.
Please let me know if there are any other configuration files that need to be 
listed.
Is there any way to avoid adding it to the “received” header?

- 20-submission.conf -
submission_client_workarounds = whitespace-before-path mailbox-for-path

protocol submission {
  passdb {
driver = static
args = proxy=y host=smtp.example.com nopassword=y
  }
}


Best regards.

Re: About "received" header when using Dovecot proxy

[Riku via dovecot]

Hello.

Thank you for teaching.
I'd like to try it out if 2.3.9 comes out.
I look forward to the release of 2.3.9.
Thank you very much.

Best regards.

Re: About "received" header when using Dovecot proxy

[Sami Ketola via dovecot]

> On 2 Dec 2019, at 19.23, Tom Sommer via dovecot  wrote:
> 
> 
> On 2019-12-02 13:42, Riku via dovecot wrote:
>> Hello.
>> My name is Riku.
>> Currently, I use Dovecot as a proxy for another SMTP server.
>> However, this seems to cause the IP address of the "received" header
>> to be that of the proxy server.
>> Is it possible to change this so that the IP address of the sender is 
>> entered?
>> The version of Dovecot is "2.3.8 (9df20d2db)".
>> Sorry for the incomprehensible explanation.
> 
> This has been discussed a few times on the list already, and I believe there 
> is a fix coming at some point: https://github.com/dovecot/core/pull/74
> 
> Currently there is none


This change does not allow you to edit the received header, it's only about not 
adding it at all.

and the change seems to be on the list for 2.3.9

Sami

Re: About "received" header when using Dovecot proxy

[Tom Sommer via dovecot]

On 2019-12-02 13:42, Riku via dovecot wrote:

Hello.
My name is Riku.

Currently, I use Dovecot as a proxy for another SMTP server.
However, this seems to cause the IP address of the "received" header
to be that of the proxy server.
Is it possible to change this so that the IP address of the sender is 
entered?

The version of Dovecot is "2.3.8 (9df20d2db)".
Sorry for the incomprehensible explanation.


This has been discussed a few times on the list already, and I believe 
there is a fix coming at some point: 
https://github.com/dovecot/core/pull/74


Currently there is none

--
Tom

Running dovecot proxy as different user

[Marc Roos via dovecot]

I thought, I read somewhere I could prevent chroot with[1] but I am 
still getting chroot errors[2]. 

drwxrwxr-x 2 10053   101  6 Dec  2 16:54 empty
drwxr-x--- 2 10053   101 73 Dec  2 17:00 login
drwxr-x--- 2 10053   101 44 Dec  2 17:00 token-login

[1]
service anvil {
  chroot =
}

[2]
Dec  2 17:07:07 c04 dovecot: stats: Fatal: chroot(/var/dovecot/empty) 
failed: Operation not permitted
Dec  2 17:07:07 c04 dovecot: master: Error: service(stats): command 
startup failed, throttling for 16 secs
Dec  2 17:07:07 c04 dovecot: pop3-login: Fatal: setgid(101(dovenull)) 
failed with euid=10053(dovecot), gid=10053(dovecot), 
egid=10053(dovecot): Operation not permitted (This binary should 
probably be called with process group set to 101(dovenull) instead of 
10053(dovecot))
Dec  2 17:07:07 c04 dovecot: master: Error: service(pop3-login): command 
startup failed, throttling for 16 secs

About "received" header when using Dovecot proxy

[Riku via dovecot]

Hello.
My name is Riku.

Currently, I use Dovecot as a proxy for another SMTP server.
However, this seems to cause the IP address of the "received" header to be that 
of the proxy server.
Is it possible to change this so that the IP address of the sender is entered?
The version of Dovecot is "2.3.8 (9df20d2db)".
Sorry for the incomprehensible explanation.

Thank you.

 Best regards.

RE: Dovecot proxy with ldap, complains about 'host not given'

[Marc Roos via dovecot]

 
Thanks!! Added this.
pass_attrs = uid=user,userPassword=password,host=host




-Original Message-
Subject: RE: Dovecot proxy with ldap, complains about 'host not given'

You need to specify fields you want. Fields are not imported 
automatically. 

See https://doc.dovecot.org/configuration_manual/authentication/ldap/ 

Aki 

On 24/11/2019 11:34 Marc Roos via dovecot < dovecot@dovecot.org> 
wrote: 


My query? Is dovecot not getting this field automatically? 



-Original Message- 
Subject: Re: Dovecot proxy with ldap, complains about 'host not 
given' 

On 23 Nov 2019, at 16:11, Marc Roos < m.r...@f1-outsourcing.eu> 
wrote: 

It looks like the dovecot proxy can authenticate correctly but 
fails 
then on with this message 

Nov 23 23:33:33 test2 dovecot: pop3-login: Error: proxy: host 
not 

given: 

user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, 
secured, 
session= 

I have configured a host= in ldap for this user 

But is your query properly getting the host? (I don’t use ldap., 
but 
this is a common issue with sql lookups, so I assume that is a 
likely 
problem). 


-- 
ARE YOU FAMILIAR WITH THE WORDS 'DEATH WAS HIS CONSTANT COMPANION'? 
'But 
I don't usually see you!’ 


---
Aki Tuomi

RE: Dovecot proxy with ldap, complains about 'host not given'

[Aki Tuomi via dovecot]

 
 
  
   You need to specify fields you want. Fields are not imported automatically.
  
  
   
  
  
   See 
   https://doc.dovecot.org/configuration_manual/authentication/ldap/
  
  
   
  
  
   Aki
  
  
   
On 24/11/2019 11:34 Marc Roos via dovecot <
dovecot@dovecot.org> wrote:
   
   

   
   

   
   
My query? Is dovecot not getting this field automatically?
   
   

   
   

   
   

   
   
-Original Message-
   
   
Subject: Re: Dovecot proxy with ldap, complains about 'host not given'
   
   

   
   
On 23 Nov 2019, at 16:11, Marc Roos <
m.r...@f1-outsourcing.eu> wrote:
   
   

 It looks like the dovecot proxy can authenticate correctly but fails


 then on with this message


 


 Nov 23 23:33:33 test2 dovecot: pop3-login: Error: proxy: host not

   
   
given:
   
   

 user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured,


 session=


 


 I have configured a host= in ldap for this user

   
   
But is your query properly getting the host? (I don’t use ldap., but
   
   
this is a common issue with sql lookups, so I assume that is a likely
   
   
problem).
   
   

   
   

   
   
--
   
   
ARE YOU FAMILIAR WITH THE WORDS 'DEATH WAS HIS CONSTANT COMPANION'? 'But
   
   
I don't usually see you!’
   
  
  
   
  
  
   ---
Aki Tuomi
   
 

RE: Dovecot proxy with ldap, complains about 'host not given'

[Marc Roos via dovecot]

 
My query? Is dovecot not getting this field automatically? 



-Original Message-
Subject: Re: Dovecot proxy with ldap, complains about 'host not given'

On 23 Nov 2019, at 16:11, Marc Roos  wrote:
> It looks like the dovecot proxy can authenticate correctly but fails 
> then on with this message
> 
> Nov 23 23:33:33 test2 dovecot: pop3-login: Error: proxy: host not 
given: 
> user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, 
> session=
> 
> I have configured a host= in ldap for this user

But is your query properly getting the host? (I don’t use ldap., but 
this is a common issue with sql lookups, so I assume that is a likely 
problem).


--
ARE YOU FAMILIAR WITH THE WORDS 'DEATH WAS HIS CONSTANT COMPANION'? 'But 
I don't usually see you!’

Re: Dovecot proxy with ldap, complains about 'host not given'

[@lbutlr via dovecot]

On 23 Nov 2019, at 16:11, Marc Roos  wrote:
> It looks like the dovecot proxy can authenticate correctly but fails 
> then on with this message
> 
> Nov 23 23:33:33 test2 dovecot: pop3-login: Error: proxy: host not given: 
> user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, 
> session=
> 
> I have configured a host= in ldap for this user

But is your query properly getting the host? (I don’t use ldap., but this is a 
common issue with sql lookups, so I assume that is a likely problem).


-- 
ARE YOU FAMILIAR WITH THE WORDS 'DEATH WAS HIS CONSTANT COMPANION'? 'But
I don't usually see you!’

Dovecot proxy with ldap, complains about 'host not given'

[Marc Roos via dovecot]

It looks like the dovecot proxy can authenticate correctly but fails 
then on with this message

Nov 23 23:33:33 test2 dovecot: pop3-login: Error: proxy: host not given: 
user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, 
session=

I have configured a host= in ldap for this user

Re: Dovecot proxy: per user/domain 'namespace/inbox/prefix' from MySQL

[Adi Pircalabu]

Forgot to add "doveconf -n" for the proxy server:

# 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.24 (124e06aa)
# OS: Linux 4.14.81-6.el7xen.x86_64 x86_64 CentOS Linux release 7.5.1804 
(Core)

# Hostname: proxy1.0aditest.local
auth_cache_negative_ttl = 5 mins
auth_cache_size = 16 M
auth_cache_ttl = 18 hours
auth_debug = yes
auth_verbose = yes
mail_debug = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date index ihave duplicate mime foreverypart 
extracttext imapflags notify

mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  sieve = file:~/sieve;active=~/.dovecot.sieve
  sieve_extensions = +notify +imapflags
}
protocols = imap pop3 lmtp sieve
service imap-login {
  inet_listener imap {
port = 1143
  }
  inet_listener imaps {
port = 1993
ssl = yes
  }
}
service managesieve-login {
  inet_listener sieve {
port = 4190
  }
  service_count = 0
  vsz_limit = 128 M
}
service managesieve {
  process_limit = 1024
}
service pop3-login {
  inet_listener pop3 {
port = 110
  }
  inet_listener pop3s {
port = 995
ssl = yes
  }
}
ssl = required
ssl_cert = 
As a way to try and avoid using "prefix = INBOX." ad infinitum for the
inbox namespace, I'm looking for ways to move on to "prefix =" for new
mail accounts, and grandfather the existing ones. Previously running
Courier-IMAP, now Dovecot, I looked at
https://wiki.dovecot.org/Namespaces#Backwards_Compatibility:_Courier_IMAP
and decided it's too risky to go down that path and use namespace
compat, with so many IMAP clients out there the scope of testing is
huge and the outcome is uncertain and not worth it.
After reading
https://wiki.dovecot.org/Namespaces#Per-user_Namespace_Location_From_SQL
I thought I might be able to overwrite the server configuration per
user returning 'namespace/inbox/prefix' value from SQL. Here's the
setup I attempted, briefly:

1. Client connects to the Dovecot proxy, which authenticates the user
and proxies to the backend using a query like this in
/etc/dovecot/conf.d/dovecot-sql.conf.ext:
driver = mysql
connect = 
password_query = SELECT NULL AS password, 'Y' as nopassword, host,
'any-cert' as 'starttls', 'Y' AS proxy FROM mailbox WHERE email = '%u'
AND disabled_smtpauth=0
Works a treat.

2. Next, I'm trying to add the prefix lookup in the picture. In the
same file I've added:
user_query = SELECT ns_inbox_prefix AS 'namespace/inbox/prefix' FROM
mailbox WHERE email = '%u' AND disabled_smtpauth=0

3. The mailbox table schema reads:
CREATE TABLE `mailbox` (
  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
  `email` varchar(255) NOT NULL DEFAULT '',
  `password` varchar(255) NOT NULL DEFAULT '',
  `clear_password` varchar(255) NOT NULL DEFAULT '',
  `name` varchar(255) NOT NULL DEFAULT '',
  `host` varchar(32) DEFAULT NULL,
  `port` varchar(32) DEFAULT NULL,
  `ns_inbox_prefix` varchar(255) NOT NULL DEFAULT '',
  `lastlog_remote_ips` bigint(20) unsigned NOT NULL DEFAULT 0,
  `curlog_remote_ips` bigint(20) unsigned NOT NULL DEFAULT 0,
  `disabled_smtpauth` tinyint(1) NOT NULL DEFAULT 0,
  `last_modified` timestamp NOT NULL DEFAULT current_timestamp() ON
UPDATE current_timestamp(),
  PRIMARY KEY (`id`),
  UNIQUE KEY `email` (`email`)
) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=latin1;
The 2 queries above return:
MariaDB [postfix]> SELECT NULL AS password, 'Y' as nopassword, host,
'any-cert' as 'starttls', 'Y' AS proxy FROM mailbox WHERE email =
'adi2@0aditest.local' AND disabled_smtpauth=0;
+--+++--+---+
| password | nopassword | host   | starttls | proxy |
+--+++--+---+
| NULL | Y  | 192.168.123.24 | any-cert | Y |
+--+++--+---+
1 row in set (0.00 sec)
MariaDB [postfix]> SELECT ns_inbox_prefix AS 'namespace/inbox/prefix'
FROM mailbox WHERE email = 'adi2@0aditest.local' AND
disabled_smtpauth=0;
++
| namespace/inbox/prefix |
++
||
++
1 row in set (0.00 sec)

After reloading dovecot service with auth_debug = yes are the maillog
for an IMAP session:
Nov 15 12:43:48 proxy1 dovecot: auth: Debug: Loading modules from
directory: /usr/lib64/dovecot/auth
Nov 15 12:43:48 proxy1 dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/lib20_a

Dovecot proxy: per user/domain 'namespace/inbox/prefix' from MySQL

[Adi Pircalabu]

As a way to try and avoid using "prefix = INBOX." ad infinitum for the 
inbox namespace, I'm looking for ways to move on to "prefix =" for new 
mail accounts, and grandfather the existing ones. Previously running 
Courier-IMAP, now Dovecot, I looked at 
https://wiki.dovecot.org/Namespaces#Backwards_Compatibility:_Courier_IMAP 
and decided it's too risky to go down that path and use namespace 
compat, with so many IMAP clients out there the scope of testing is huge 
and the outcome is uncertain and not worth it.
After reading 
https://wiki.dovecot.org/Namespaces#Per-user_Namespace_Location_From_SQL 
I thought I might be able to overwrite the server configuration per user 
returning 'namespace/inbox/prefix' value from SQL. Here's the setup I 
attempted, briefly:


1. Client connects to the Dovecot proxy, which authenticates the user 
and proxies to the backend using a query like this in 
/etc/dovecot/conf.d/dovecot-sql.conf.ext:

driver = mysql
connect = 
password_query = SELECT NULL AS password, 'Y' as nopassword, host, 
'any-cert' as 'starttls', 'Y' AS proxy FROM mailbox WHERE email = '%u' 
AND disabled_smtpauth=0

Works a treat.

2. Next, I'm trying to add the prefix lookup in the picture. In the same 
file I've added:
user_query = SELECT ns_inbox_prefix AS 'namespace/inbox/prefix' FROM 
mailbox WHERE email = '%u' AND disabled_smtpauth=0


3. The mailbox table schema reads:
CREATE TABLE `mailbox` (
  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
  `email` varchar(255) NOT NULL DEFAULT '',
  `password` varchar(255) NOT NULL DEFAULT '',
  `clear_password` varchar(255) NOT NULL DEFAULT '',
  `name` varchar(255) NOT NULL DEFAULT '',
  `host` varchar(32) DEFAULT NULL,
  `port` varchar(32) DEFAULT NULL,
  `ns_inbox_prefix` varchar(255) NOT NULL DEFAULT '',
  `lastlog_remote_ips` bigint(20) unsigned NOT NULL DEFAULT 0,
  `curlog_remote_ips` bigint(20) unsigned NOT NULL DEFAULT 0,
  `disabled_smtpauth` tinyint(1) NOT NULL DEFAULT 0,
  `last_modified` timestamp NOT NULL DEFAULT current_timestamp() ON 
UPDATE current_timestamp(),

  PRIMARY KEY (`id`),
  UNIQUE KEY `email` (`email`)
) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=latin1;
The 2 queries above return:
MariaDB [postfix]> SELECT NULL AS password, 'Y' as nopassword, host, 
'any-cert' as 'starttls', 'Y' AS proxy FROM mailbox WHERE email = 
'adi2@0aditest.local' AND disabled_smtpauth=0;

+--+++--+---+
| password | nopassword | host   | starttls | proxy |
+--+++--+---+
| NULL | Y  | 192.168.123.24 | any-cert | Y |
+--+++--+---+
1 row in set (0.00 sec)
MariaDB [postfix]> SELECT ns_inbox_prefix AS 'namespace/inbox/prefix' 
FROM mailbox WHERE email = 'adi2@0aditest.local' AND 
disabled_smtpauth=0;

++
| namespace/inbox/prefix |
++
||
++
1 row in set (0.00 sec)

After reloading dovecot service with auth_debug = yes are the maillog 
for an IMAP session:
Nov 15 12:43:48 proxy1 dovecot: auth: Debug: Loading modules from 
directory: /usr/lib64/dovecot/auth
Nov 15 12:43:48 proxy1 dovecot: auth: Debug: Module loaded: 
/usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
Nov 15 12:43:48 proxy1 dovecot: auth: Debug: Module loaded: 
/usr/lib64/dovecot/auth/libdriver_mysql.so
Nov 15 12:43:48 proxy1 dovecot: auth: Debug: Module loaded: 
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Nov 15 12:43:48 proxy1 dovecot: auth: Debug: Read auth token secret from 
/var/run/dovecot/auth-token-secret.dat
Nov 15 12:43:48 proxy1 dovecot: auth: Debug: auth client connected 
(pid=7527)
Nov 15 12:43:53 proxy1 dovecot: auth: Debug: client in: 
AUTH#0111#011PLAIN#011service=imap#011secured#011session=AorrLqp6drgB#011lip=::1#011rip=::1#011lport=1143#011rport=47222#011resp=
Nov 15 12:43:53 proxy1 dovecot: auth: Debug: 
sql(adi2@0aditest.local,::1,): cache 
miss
Nov 15 12:43:53 proxy1 dovecot: auth-worker(7533): Debug: Loading 
modules from directory: /usr/lib64/dovecot/auth
Nov 15 12:43:53 proxy1 dovecot: auth-worker(7533): Debug: Module loaded: 
/usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
Nov 15 12:43:53 proxy1 dovecot: auth-worker(7533): Debug: Module loaded: 
/usr/lib64/dovecot/auth/libdriver_mysql.so
Nov 15 12:43:53 proxy1 dovecot: auth-worker(7533): Debug: Module loaded: 
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Nov 15 12:43:53 proxy1 dovecot: auth-worker(7533): Debug: 
sql(adi2@0aditest.local,::1,): query: 
SELECT NULL AS password, 'Y' as nopassword, host, 'any-cert' as 
'starttls', 'Y' AS proxy FROM mailbox WHERE email = 
'adi2@0aditest.local' AND disabled_smtpauth=0
Nov 15 12:43:53 proxy1 dovecot: auth: Debug: client passdb out: 
OK#0111#011user=adi2@0aditest.local#011host=192.168.123.24#011starttls=any-cert#011proxy#011pass=

Nov 15 12:43:53 proxy1 dovecot: imap-

Re: Dovecot proxy

[Sami Ketola]

> On 24 Nov 2017, at 17.36, Federico Bartolucci <feder...@aruba.it> wrote:
> 
> Hello,
> 
> has someone already tested the dovecot-proxy with more than 10 nodes? or
> someone knows anyway if is it officially supported up to a certain number?

There is no limit really. Proxies work standalone and are not linked together so
you can have as many as you need. We have customers that have 20+ proxies 
running.

Sami

Dovecot proxy

[Federico Bartolucci]

Hello,

has someone already tested the dovecot-proxy with more than 10 nodes? or
someone knows anyway if is it officially supported up to a certain number?

Thanks.

iOS Mail app and rapid authenticate / disconnect on Dovecot proxy

[Robert Giles]

Hi folks,

I have a handful of iOS 10.2.1 Mail app IMAP clients that intermittently 
break into this unexplained authenticate-then-immediately-disconnect 
behavior when connecting to a RHEL7 Dovecot (dovecot-2.2.10-7.el7) 
proxy, providing proxied connections to a backend Panda/UW-IMAP server. 
From talking to the users, the activity would appear to be spontaneous 
(ie: not caused by user interaction with the device).


The behavior doesn't seem to have any observable implications for the 
end user, other than momentarily hitting the Dovecot process_limit 
(which, if not raised to a rather large number, disrupts new IMAP proxy 
connections momentarily).


I reckon this is not an issue with Dovecot, but I'm curious to know if 
other folks have observed this behavior when dealing with iOS Mail app 
clients?


The log entries look like this:

iOS 10 device = 172.16.0.1
RHEL7 Dovecot proxy host = 192.168.0.1 ("proxyhost")
Panda/UW-IMAP target = panda.imap.tld

Mar  6 12:11:00 proxyhost dovecot: imap-login: proxy(jdoe): started 
proxying to panda.imap.tld:993: user=, method=PLAIN, 
rip=172.16.0.1, lip=192.168.0.1, TLS, session=
Mar  6 12:11:00 proxyhost dovecot: imap-login: proxy(jdoe): 
disconnecting 172.16.0.1 (Disconnected by client): user=, 
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS: Disconnected, 
session=
Mar  6 12:11:01 proxyhost dovecot: imap-login: proxy(jdoe): started 
proxying to panda.imap.tld:993: user=, method=PLAIN, 
rip=172.16.0.1, lip=192.168.0.1, TLS, session=
Mar  6 12:11:01 proxyhost dovecot: imap-login: proxy(jdoe): 
disconnecting 172.16.0.1 (Disconnected by server): user=, 
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS, 
session=
Mar  6 12:11:01 proxyhost dovecot: imap-login: proxy(jdoe): started 
proxying to panda.imap.tld:993: user=, method=PLAIN, 
rip=172.16.0.1, lip=192.168.0.1, TLS, session=
Mar  6 12:11:01 proxyhost dovecot: imap-login: proxy(jdoe): 
disconnecting 172.16.0.1 (Disconnected by server): user=, 
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS, 
session=
Mar  6 12:11:02 proxyhost dovecot: imap-login: proxy(jdoe): started 
proxying to panda.imap.tld:993: user=, method=PLAIN, 
rip=172.16.0.1, lip=192.168.0.1, TLS, session=
Mar  6 12:11:02 proxyhost dovecot: imap-login: proxy(jdoe): 
disconnecting 172.16.0.1 (Disconnected by server): user=, 
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS, 
session=
Mar  6 12:11:02 proxyhost dovecot: imap-login: proxy(jdoe): started 
proxying to panda.imap.tld:993: user=, method=PLAIN, 
rip=172.16.0.1, lip=192.168.0.1, TLS, session=
Mar  6 12:11:02 proxyhost dovecot: imap-login: proxy(jdoe): 
disconnecting 172.16.0.1 (Disconnected by server): user=, 
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS, 
session=
Mar  6 12:11:03 proxyhost dovecot: imap-login: proxy(jdoe): started 
proxying to panda.imap.tld:993: user=, method=PLAIN, 
rip=172.16.0.1, lip=192.168.0.1, TLS, session=
Mar  6 12:11:03 proxyhost dovecot: imap-login: proxy(jdoe): 
disconnecting 172.16.0.1 (Disconnected by server): user=, 
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS, 
session=
Mar  6 12:11:03 proxyhost dovecot: imap-login: proxy(jdoe): started 
proxying to panda.imap.tld:993: user=, method=PLAIN, 
rip=172.16.0.1, lip=192.168.0.1, TLS, session=
Mar  6 12:11:04 proxyhost dovecot: imap-login: proxy(jdoe): 
disconnecting 172.16.0.1 (Disconnected by server): user=, 
method=PLAIN, rip=172.16.0.1, lip=192.168.0.1, TLS, 
session=


...and on and on, usually until the 'service imap-login' process_limit 
is reached.  You could naturally apply some iptables rate-limiting to 
avoid hitting process_limit, but it'd be nice to have the iOS client 
simply behave properly instead.


dovecot -n:
---
# 2.2.10: /etc/dovecot/dovecot.conf
# OS: Linux 3.10.0-514.6.2.el7.x86_64 x86_64 Red Hat Enterprise Linux 
Server release 7.3 (Maipo)

auth_mechanisms = plain login
auth_verbose = yes
first_valid_uid = 1000
imap_capability = +I18NLEVEL=1
mbox_write_locks = fcntl
passdb {
  args = nopassword=y
  default_fields = proxy=y ssl=any-cert host=panda.imap.tld
  driver = static
}
protocols = imap pop3
service imap-login {
  process_limit = 400-ish at the moment
  process_min_avail = 2
}
service pop3-login {
  inet_listener pop3s {
port = 995
ssl = yes
  }
}
ssl = required
ssl_ca = 

smime.p7s
Description: S/MIME Cryptographic Signature

Re: Dovecot proxy

[Gandalf Corvotempesta]

2016-11-17 9:11 GMT+01:00 Gandalf Corvotempesta
<gandalf.corvotempe...@gmail.com>:
> Hi to all
> I have some *production* pop3/inappropriate server that i would like to move
> under a proxy
>
> Some questions:
> 1. Keeping the same original hostname on the proxy (in example
> mail.mydomain.tld)
> and changing the hostname on the imap server, makes some troubles like MUA
> redownloading all the messages?
> Is dovecot (running on the imap server) happy seeing the hostname change?
> What about maildirs, where the hostname is wrote on the mail file?
>
> 2. Dovecot proxy will proxy the whole pop3/imap traffic or only the login
> auth?
> I don't want to expose the mailservers to internet, all imap session must be
> proxied through the proxy.
> this because I'll use local IPs on each mail server.

Any advice on this, particurally on question 2 ?
The only way to get the real mailserver IP address is doing a
succesfull auth via proxy
or even in case of login failure the response is caming from the real
mail server ?

Dovecot proxy

[Gandalf Corvotempesta]

Hi to all
I have some *production* pop3/inappropriate server that i would like to
move under a proxy

Some questions:
1. Keeping the same original hostname on the proxy (in example
mail.mydomain.tld)
and changing the hostname on the imap server, makes some troubles like MUA
redownloading all the messages?
Is dovecot (running on the imap server) happy seeing the hostname change?
What about maildirs, where the hostname is wrote on the mail file?

2. Dovecot proxy will proxy the whole pop3/imap traffic or only the login
auth?
I don't want to expose the mailservers to internet, all imap session must
be proxied through the proxy.
this because I'll use local IPs on each mail server.

3. Performance for the proxy server?
The same as the mailserver or higher due to the missing email computation?
In example,  the proxy doesn't have to access disks or emails data but has
only
to transmit what the mailserver osd saying

4. Like question 3, any real users for the proxy?
I would like to know some info about hardware and userbase (in example:
dual quad xeon 5600, 32Gb ram, 10.000 concurrent sessions)
In my case I'm planning for about 100 active sessions. Can i use a small
EC2 instance?

Re: Dovecot Proxy and Director

[Gandalf Corvotempesta]

2016-10-29 17:02 GMT+02:00 Aki Tuomi :
> You could use private ip addresses backends so you don't even need to expose 
> them to internet at all.

This means creating a VPN between my local DC with Dovecot servers and
the cloud service provider with proxies.

Re: Dovecot Proxy and Director

[Aki Tuomi]

> On October 29, 2016 at 5:17 PM Gandalf Corvotempesta 
>  wrote:
> 
> 
> Hi,
> just a simple question: by using a directory and a proxy, I would be
> able to totally hide the pop3/imap server ip addresses from outside?
> I'm asking this because I would like to hide the real server IP for
> security reasosn (DDoS and so on).
> 
> The proxy would be placed on servers with high bandwidth while the
> pop3/imap dovecot servers are placed in a small datacenter that would
> go down easily in case of attack


You could use private ip addresses backends so you don't even need to expose 
them to internet at all.

Aki

Dovecot Proxy and Director

[Gandalf Corvotempesta]

Hi,
just a simple question: by using a directory and a proxy, I would be
able to totally hide the pop3/imap server ip addresses from outside?
I'm asking this because I would like to hide the real server IP for
security reasosn (DDoS and so on).

The proxy would be placed on servers with high bandwidth while the
pop3/imap dovecot servers are placed in a small datacenter that would
go down easily in case of attack

Re: is it possible to run a post-login script in a dovecot proxy with local auth?

[Timo Sirainen]

On 05 Jul 2016, at 02:14, Luca Lesinigo <l...@lm-net.it> wrote:
> 
> We’re using dovecot v2.2.22, authenticating on a local database (passdb with 
> sql driver), and then proxying the connections to the backend server returned 
> by passdb (proxy=y and backend in “host” column). To support some legacy 
> clients we should keep POP/IMAP-before-SMTP running for some time, but right 
> know I don’t know how to hook up a successful authentication in the dovecot 
> proxy.
> 
> I did read from http://wiki2.dovecot.org/PostLoginScripting:
>   “...it's not currently possible to run post-login scripts in proxies, 
> because they're not actually logging in to the local Dovecot”
> Does that also holds true even if the proxy is authenticating users locally 
> before proxying them?

Yes. Only when the imap/pop3 process starts the post-login scripting can work.

> Failing that, any idea on how to get successful logins, other than parsing 
> the log file?

passdb checkpassword? Or write a plugin.

is it possible to run a post-login script in a dovecot proxy with local auth?

[Luca Lesinigo]

We’re using dovecot v2.2.22, authenticating on a local database (passdb with 
sql driver), and then proxying the connections to the backend server returned 
by passdb (proxy=y and backend in “host” column). To support some legacy 
clients we should keep POP/IMAP-before-SMTP running for some time, but right 
know I don’t know how to hook up a successful authentication in the dovecot 
proxy.

I did read from http://wiki2.dovecot.org/PostLoginScripting:
“...it's not currently possible to run post-login scripts in proxies, 
because they're not actually logging in to the local Dovecot”
Does that also holds true even if the proxy is authenticating users locally 
before proxying them?

Failing that, any idea on how to get successful logins, other than parsing the 
log file?

thank you,
--
Luca Lesinigo

Re: Dovecot Proxy LTMP client connect to TCP port 0

[Wido den Hollander]

I looked into the further and it seems that there is no default port for LMTP in
Dovecot.

I patched the code and this seems right:
https://github.com/wido/core/commit/a5917908850eb570ca441517e6bc33f6ce63ed7a

This will make the LMTP client connect to TCP port 24 if no port has been
provided.

I will submitted it as a Pull Request on Github:
https://github.com/dovecot/core/pull/6

Wido

> Op 9 april 2016 om 11:25 schreef Wido den Hollander <w...@widodh.nl>:
> 
> 
> Hi,
> 
> I am trying to set up a Dovecot proxy which proxies through POP3, IMAP and
> LTMP
> towards a different Dovecot machine.
> 
> On the proxy machine I use a MySQL database as a userdb and passwdb backend
> and
> it returns the proper information as described here:
> http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy
> 
> IMAP and POP3 works just fine, but with LMTP I run into a problem.
> 
> On the 'proxy' machine Postfix is also running and it deliver locally to LTMP
> via Socket:
> 
> virtual_transport = lmtp:unix:private/dovecot-lmtp
> 
> Dovecot there is also configured to proxy LTMP:
> 
> lmtp_proxy = yes
> 
> service lmtp {
>   unix_listener /var/spool/postfix/private/dovecot-lmtp {
> group = postfix
> mode = 0600
> user = postfix
>   }
> }
> 
> So far so good. A telnet to localhost 110 or 143 allows me to log in to the
> POP3/IMAP.
> 
> When Postfix delivers the message locally to Dovecot through LTMP it tries to
> proxy it though.
> 
> When doing so it tries to connect to TCP port 0 (zero).
> 
> dovecot: lmtp(22580): Error: lmtp client: connect(mbox01..nl, 0) failed:
> Connection refused
> 
> I know I can return the 'port' field in the userdb query, but the same query
> is
> used for POP3, IMAP and LMTP. So that can't be hardcoded.
> 
> I fixed it for now with a CASE statement in SQL:
> 
> password_query = SELECT b.hostname AS host, NULL AS password, \
>'Y' AS nopassword, u.email AS destuser, 'Y' AS proxy, \
>CASE '%s' WHEN 'lmtp' THEN 2525 WHEN 'pop3' THEN 110 WHEN 'imap' THEN
> 143
> END AS port \
> FROM User u, Backend b, Domain d \
> WHERE u.domainID = d.domainID \
> AND b.backendID = d.backendID \
> AND u.email = '%u'
> 
> %s is a variable containing the service Dovecot is trying to look up.
> 
> This is however rather hacky.
> 
> On my destination machine LMTP is listening on port 2525. Is there any way to
> tell the Dovecot LTMP client to connect to port 2525 by default?
> 
> Thanks,
> 
> Wido

Dovecot Proxy LTMP client connect to TCP port 0

[Wido den Hollander]

Hi,

I am trying to set up a Dovecot proxy which proxies through POP3, IMAP and LTMP
towards a different Dovecot machine.

On the proxy machine I use a MySQL database as a userdb and passwdb backend and
it returns the proper information as described here:
http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy

IMAP and POP3 works just fine, but with LMTP I run into a problem.

On the 'proxy' machine Postfix is also running and it deliver locally to LTMP
via Socket:

virtual_transport = lmtp:unix:private/dovecot-lmtp

Dovecot there is also configured to proxy LTMP:

lmtp_proxy = yes

service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
  }
}

So far so good. A telnet to localhost 110 or 143 allows me to log in to the
POP3/IMAP.

When Postfix delivers the message locally to Dovecot through LTMP it tries to
proxy it though.

When doing so it tries to connect to TCP port 0 (zero).

dovecot: lmtp(22580): Error: lmtp client: connect(mbox01..nl, 0) failed:
Connection refused

I know I can return the 'port' field in the userdb query, but the same query is
used for POP3, IMAP and LMTP. So that can't be hardcoded.

I fixed it for now with a CASE statement in SQL:

password_query = SELECT b.hostname AS host, NULL AS password, \
   'Y' AS nopassword, u.email AS destuser, 'Y' AS proxy, \
   CASE '%s' WHEN 'lmtp' THEN 2525 WHEN 'pop3' THEN 110 WHEN 'imap' THEN 143
END AS port \
FROM User u, Backend b, Domain d \
WHERE u.domainID = d.domainID \
AND b.backendID = d.backendID \
AND u.email = '%u'

%s is a variable containing the service Dovecot is trying to look up.

This is however rather hacky.

On my destination machine LMTP is listening on port 2525. Is there any way to
tell the Dovecot LTMP client to connect to port 2525 by default?

Thanks,

Wido

LDAP schema for dovecot proxy?

[Andrey Fesenko]

Hello,
I want to deploy dovecot proxy/director with the backend and
authorization in LDAP. Dovecot wiki specifies only what is necessary
to apply additional arguments that the scheme would have earned a
proxy, but no solid LDAP schema.
Is there such a scheme, such as the existing scheme

http://www.zytrax.com/books/ldap/ape/courier.html
http://pro-ldap.ru/sources/schema/qmail.schema
http://open.rhx.it/phamm/schema/phamm.schema

Unfortunately for the tasks they are not good because they just no
dovecot-specific variables

Re: Dovecot proxy ignores trusted root certificate store

[Alex Bulan]

On Tue, 22 Sep 2015, Timo Sirainen wrote:

Yeah. The ssl_client_ca_file was implemented later than the SSL proxying 
code. I think this may be something that needs to wait for v2.3 to get 
fixed. v2.3 hopefully removes the duplicated ssl code and uses 
lib-ssl-iostream for proxying also, which makes this easier to 
implement.


Thanks, Timo.  I'll use the ssl_ca workaround for now.

Re: Dovecot proxy ignores trusted root certificate store

[Timo Sirainen]

On 22 Sep 2015, at 01:11, Alex Bulan  wrote:
> 
> On Mon, 21 Sep 2015, Edgar Pettijohn wrote:
> 
>> doveconf -n?
> 
> doveconf -n|grep ssl should suffice:
> 
> ssl = required
> ssl_ca =  ssl_cert =  ssl_key =  ssl_require_crl = no
> 
> I'm using "ssl_ca =  workaround, even though this is not what ssl_ca is for.  It happens to work, 
> at least for now, but this is not a fix.
> 
> ssl_client_ca_file should be used instead, but it has no effect in proxy mode:

Yeah. The ssl_client_ca_file was implemented later than the SSL proxying code. 
I think this may be something that needs to wait for v2.3 to get fixed. v2.3 
hopefully removes the duplicated ssl code and uses lib-ssl-iostream for 
proxying also, which makes this easier to implement.

Re: Dovecot proxy ignores trusted root certificate store

[Mihai Badici]

On Monday 21 September 2015 01:53:53 Alex Bulan wrote:
> Dovecot v2.2.18
> OS: FreeBSD 10.1/amd64
> 
> Dovecot in proxy mode ignores the root certificate store and can't verify
> the backend's SSL certificate.
> 
> I've pointed ssl_client_ca_file to my root certificate store, but I
> suspect ssl_client_ca_file is only used in imapc context.  It seems to be
> ignored in proxy context.
> 
> doveconf -n ssl_client_ca_file:
> ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt

I think the correct syntax is :




ssl_ca = < /etc/ssl/certs/cacert.pem
For all kind of ssl_xyz files




Mihai Badici[1] 


[1] http://mihai.badici.ro

Re: Dovecot proxy ignores trusted root certificate store

[Christian Kivalo]

Hi


I've pointed ssl_client_ca_file to my root certificate store, but I
suspect ssl_client_ca_file is only used in imapc context.  It seems to
be ignored in proxy context.

doveconf -n ssl_client_ca_file:
ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt


You are missing the "<" before the file path

Try ssl_client_ca_file = http://wiki2.dovecot.org/SSL/DovecotConfiguration

Regards
Christian

Re: Dovecot proxy ignores trusted root certificate store

[Alex Bulan]

The result is the same with or without "<" before the file path.  With "<" 
the inode atime is updated at Dovecot startup, so the file is at least 
opened, but Dovecot still can't verify the cert.


The only place in the Wiki that shows an example of ssl_client_ca_file is 
on this page, and there's no "<" in front of the file path:


http://wiki2.dovecot.org/Replication

(quote)
The client must be able to verify that the SSL certificate is valid, so 
you need to specify the directory containing valid SSL CA roots:


ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu
ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat
(end quote)



On Mon, 21 Sep 2015, Christian Kivalo wrote:


Hi


I've pointed ssl_client_ca_file to my root certificate store, but I
suspect ssl_client_ca_file is only used in imapc context.  It seems to
be ignored in proxy context.

doveconf -n ssl_client_ca_file:
ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt


You are missing the "<" before the file path

Try ssl_client_ca_file = http://wiki2.dovecot.org/SSL/DovecotConfiguration

Regards
Christian

Re: Dovecot proxy ignores trusted root certificate store

[Edgar Pettijohn]

On 09/21/2015 05:11 PM, Alex Bulan wrote:

On Mon, 21 Sep 2015, Edgar Pettijohn wrote:


doveconf -n?


doveconf -n|grep ssl should suffice:

ssl = required


shouldn't it be:

ssl = yes

I was only aware of the choice of yes or no here, but I could be wrong.

ssl_ca = I'm using "ssl_ca = temporary workaround, even though this is not what ssl_ca is for.  It 
happens to work, at least for now, but this is not a fix.


ssl_client_ca_file should be used instead, but it has no effect in 
proxy mode:


ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt

This doesn't work either (and the Dovecot Wiki shows it used without 
"<"):


ssl_client_ca_file = And "ssl_require_crl = no" to silence "unable to get certificate CRL" 
log messages.  I don't need it to check CRLs on the backend's 
certificate chain.

Re: Dovecot proxy ignores trusted root certificate store

[Andrew McN]

On 21/09/15 17:28, Alex Bulan wrote:
> The result is the same with or without "<" before the file path.  With
> "<" the inode atime is updated at Dovecot startup, so the file is at
> least opened, but Dovecot still can't verify the cert.
> 
> The only place in the Wiki that shows an example of ssl_client_ca_file
> is on this page, and there's no "<" in front of the file path:
> 
> http://wiki2.dovecot.org/Replication
> 
> (quote)
> The client must be able to verify that the SSL certificate is valid, so
> you need to specify the directory containing valid SSL CA roots:
> 
> ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu
> ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat
> (end quote)
> 

Suggesting that on Redhat you should specify "the directory containing
valid SSL CA roots" by setting ssl_client_ca_file sounds kinda crazy.
Sounds like setting a file instead.  So that bit of documentation should
be treated as rather suspect.

Regards,
Andrew

Re: Dovecot proxy ignores trusted root certificate store

[Alex Bulan]

On Mon, 21 Sep 2015, Edgar Pettijohn wrote:


ssl = required


shouldn't it be:

ssl = yes

I was only aware of the choice of yes or no here, but I could be wrong.


See http://wiki2.dovecot.org/SSL/DovecotConfiguration

Re: Dovecot proxy ignores trusted root certificate store

[Alex Bulan]

On Mon, 21 Sep 2015, Edgar Pettijohn wrote:


doveconf -n?


doveconf -n|grep ssl should suffice:

ssl = required
ssl_ca = I'm using "ssl_ca = temporary workaround, even though this is not what ssl_ca is for.  It 
happens to work, at least for now, but this is not a fix.


ssl_client_ca_file should be used instead, but it has no effect in proxy 
mode:


ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt

This doesn't work either (and the Dovecot Wiki shows it used without "<"):

ssl_client_ca_file = And "ssl_require_crl = no" to silence "unable to get certificate CRL" log 
messages.  I don't need it to check CRLs on the backend's certificate 
chain.

Re: Dovecot proxy ignores trusted root certificate store

[Alex Bulan]

On Mon, 21 Sep 2015, Christian Kivalo wrote:

Haven't found much about proxying and ssl but found a configuration parameter 
ssl_ca = 

http://wiki2.dovecot.org/SSL/DovecotConfiguration section Client certificate 
verification/authentication


ssl_ca serves a different purpose, it's for setting your certificate 
authority in order to verify client certs you've issued.


Setting "ssl_ca = verify the proxy backend cert, at least the current Dovecot release, but 
it's a hack.  It's misusing this setting for a different purpose than 
documented.  I can't rely on this "solution" as it could break in a future 
Dovecot release.


The correct setting to use is ssl_client_ca_file.  It's just not being 
applied in proxy mode.


The patchset that implemented ssl_client_ca_file is here:

http://www.dovecot.org/list/dovecot-cvs/2013-April/023089.html

Dovecot calls the OpenSSL function SSL_CTX_load_verify_locations() to set 
the CAfile path, as it should, but apparently only when it's talking to an 
imapc storage backend, not when it's acting as a simple proxy.


See http://dovecot.org/pipermail/dovecot/2013-June/090884.html

Re: Dovecot proxy ignores trusted root certificate store

[Alex Bulan]

On Mon, 21 Sep 2015, Andrew McN wrote:


http://wiki2.dovecot.org/Replication

(quote)
The client must be able to verify that the SSL certificate is valid, so
you need to specify the directory containing valid SSL CA roots:

ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu
ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat
(end quote)



Suggesting that on Redhat you should specify "the directory containing
valid SSL CA roots" by setting ssl_client_ca_file sounds kinda crazy.
Sounds like setting a file instead.  So that bit of documentation should
be treated as rather suspect.

Regards,
Andrew


In some environments, root certs are stored in a hashed directory, in 
other environments they're stored in one file.  One would typically use 
one setting or the other.


I think ssl_client_ca_file was implemented later than ssl_client_ca_dir. 
The comment just needs to be updated.

Re: Dovecot proxy ignores trusted root certificate store

[Edgar Pettijohn]

doveconf -n?

On 09/21/2015 12:45 PM, Alex Bulan wrote:

On Mon, 21 Sep 2015, Andrew McN wrote:


http://wiki2.dovecot.org/Replication

(quote)
The client must be able to verify that the SSL certificate is valid, so
you need to specify the directory containing valid SSL CA roots:

ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu
ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat
(end quote)



Suggesting that on Redhat you should specify "the directory containing
valid SSL CA roots" by setting ssl_client_ca_file sounds kinda crazy.
Sounds like setting a file instead.  So that bit of documentation should
be treated as rather suspect.

Regards,
Andrew


In some environments, root certs are stored in a hashed directory, in 
other environments they're stored in one file.  One would typically 
use one setting or the other.


I think ssl_client_ca_file was implemented later than 
ssl_client_ca_dir. The comment just needs to be updated.

Re: Dovecot proxy ignores trusted root certificate store

[Christian Kivalo]

On 2015-09-21 09:28, Alex Bulan wrote:

The result is the same with or without "<" before the file path.  With
"<" the inode atime is updated at Dovecot startup, so the file is at
least opened, but Dovecot still can't verify the cert.

The only place in the Wiki that shows an example of ssl_client_ca_file
is on this page, and there's no "<" in front of the file path:

http://wiki2.dovecot.org/Replication

(quote)
The client must be able to verify that the SSL certificate is valid,
so you need to specify the directory containing valid SSL CA roots:

ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu
ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat
(end quote)


For replication only settings? I can only guess as i currently don't use 
proxy nor replication.


Haven't found much about proxying and ssl but found a configuration 
parameter ssl_ca = 

http://wiki2.dovecot.org/SSL/DovecotConfiguration section Client 
certificate verification/authentication




On Mon, 21 Sep 2015, Christian Kivalo wrote:


Hi


I've pointed ssl_client_ca_file to my root certificate store, but I
suspect ssl_client_ca_file is only used in imapc context.  It seems 
to

be ignored in proxy context.

doveconf -n ssl_client_ca_file:
ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt


You are missing the "<" before the file path

Try ssl_client_ca_file = http://wiki2.dovecot.org/SSL/DovecotConfiguration

Regards
Christian



- Christian

Dovecot proxy ignores trusted root certificate store

[Alex Bulan]

Dovecot v2.2.18
OS: FreeBSD 10.1/amd64

Dovecot in proxy mode ignores the root certificate store and can't verify 
the backend's SSL certificate.


I've pointed ssl_client_ca_file to my root certificate store, but I 
suspect ssl_client_ca_file is only used in imapc context.  It seems to be 
ignored in proxy context.


doveconf -n ssl_client_ca_file:
ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt

In my password_query I return host set to the backend's IP address, 
starttls='yes', proxy='y'.


The backend's certificate chain is correct and it verifies successfully 
with "openssl s_client -connect x.x.x.x:110 -starttls pop3 -CAfile 
/usr/local/share/certs/ca-root-nss.crt".


But the Dovecot proxy fails to verify the intermediate certificate it 
receives from the backend.  The inode atime of ca-root-nss.crt is never 
updated, either at Dovecot start or when it connects to the backend, so 
Dovecot (via the openssl library) never reads the file.


Sep 20 19:59:48 dovecot: pop3-login: Invalid certificate: unable to get 
local issuer certificate: /C=US/O=GeoTrust Inc./OU=Domain Validated 
SSL/CN=GeoTrust DV SSL CA - G4
Sep 20 19:59:48 dovecot: pop3-login: Invalid certificate: certificate not 
trusted: /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL 
CA - G4
Sep 20 19:59:48 dovecot: pop3-login: Error: proxy: Received invalid SSL 
certificate from x.x.x.x:110: unable to get local issuer certificate: 
/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G4: 
user=, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, 
session=

Dovecot proxy and password scheme updating

[efs efefsfse]

Hello,

I run a dovecot proxy (which is doing authentification itself) and a
dovecot backend on separate boxes.
I want to change the actual password scheme.

Since postlogin scripting is not supported by proxies and %w variable is
not forwaded to dovecot backend is there any way that I can update the
password scheme with my current setup ?

Thanks in advance.

Re: dovecot proxy/director and high availability design

[James Lott]

I think RR DNS is the only viable solution under these circumstances. If 
you can cope with the fact that failovers won't be seamless, I don't 
think there's anything wrong with that though.


On 07/21/2015 11:54 AM, Laz C. Peterson wrote:

The consensus seems to say no to RR DNS … I am going to take that into serious 
consideration.

With this proxy setup you describe, what would happen if HAProxy or Dovecot 
Proxy were to fail?

I think there is no problem with many moving parts, as long as there is a 
backup plan in case something goes awry.  My goal is slightly different, as I 
want to have HA available across datacenters without using BGP or having 
control over the IP space (so, no anycast).  Just a simple way to get the 
clients redirected to the other Dovecot server when I lose an entire datacenter 
network for whatever reason.

~ Laz Peterson
Paravis, LLC


On Jul 20, 2015, at 5:32 PM, Chad M Stewart c...@balius.com wrote:


Round-robin DNS last I checked can be fraught with issues.

While doing something else I came up with this idea:  Clients -- Load Balancer(HAProxy) 
-- Dovecot Proxy(DP) -- Dovecot Director(DD) -- MS1 / MS2.


When DP checks say user100 it'll find a host=DD-POD1 that returns two IPs, 
those of the two DD that sit in front of POD1. This DD pair is the only pair in 
the ring and only responsible for POD1.  Another pair will handle POD2.  When 
DD looks up the host value for a user it'll find the same name, but the IPs 
returned will be different.  Instead have both IPs of the mail stores returned.

I believe this will achieve what I'm after.  HAProxy will do the load balancing of the DP 
instances.  DP will balance the DDs, and DDs will do its job well and ensure that say 
user300 has all of their connections sent to MS1.  When I need to do maintenance on MS1 I 
can use the DD pair for POD1 to gently move the connections to MS2, etc..   I could also 
make each POD a 2+1 cluster, so a silent but up-to-date and replicated store sits there 
waiting should it be needed, or even a 2+2 cluster.  After all two is one, and one 
is none.

Not sure when I'll get time to implement/test this out, but in theory it sounds 
reasonable. I admit its a fair amount of moving parts and areas for failure but 
I think it maybe the balance needed to achieve the service level availability 
I'm after while still allowing for maintenance on the systems w/o clients 
noticing.

-Chad


On Jul 20, 2015, at 1:04 PM, Laz C. Peterson l...@paravis.net wrote:


I’m trying to do this too.  But the goal would be simply for automatic failover 
to the other datacenter.  Everything is working if the server’s unique hostname 
is entered, but I want to do something like round robin DNS that mail clients 
will automatically attempt to connect to the other IP if they cannot get to the 
first address.  Unfortunately mail applications don’t really do this like web 
browsers do …

~ Laz Peterson
Paravis, LLC


On Jul 20, 2015, at 10:29 AM, Chad M Stewart c...@balius.com wrote:


I'm trying to determine which dovecot components to use and how to order them 
in the network path from client to mail store.


If I have say 1,000 users, all stored in MySQL (or LDAP) and have 4 mail 
stores, configured into 2, 2 node pods.


MS1 and MS2 are pod1 and are configured with replication (dsync) and host users 
0-500.  MS3 and MS4 are pod2 and are configured with replication between them 
and host users 501-1000.   Ideally the active connections in pod1 would be 
split 50/50 between MS1 and MS2.  When maintenance is performed obviously all 
active connections/users would be moved to the other node in the pod and then 
rebalanced once maintenance is completed.

I'm not sure if I need to use both the proxy and director, or just one or the 
other? If both then what is the proper path, from a network perspective?  I 
like the functionality director provides, being able to add/remove servers on 
the fly and adjust connections, etc.. But from what I've read director needs to 
know about all mail servers.  The problem is that not all servers host all 
users.  User100 could be serviced by ms1 or ms2, but not by ms3 or ms4.

I'm trying to design a system that should provide as close to 99.999% service 
availability as possible.



Thank you,
Chad

Re: dovecot proxy/director and high availability design

[Chad M Stewart]

On 2015-07-21 02:54 PM, Laz C. Peterson wrote:

The consensus seems to say no to RR DNS … I am going to take that into
serious consideration.

With this proxy setup you describe, what would happen if HAProxy or
Dovecot Proxy were to fail?


Multiple instances of each. I'll be using SmartOS as the base for my 
systems, so I'll be using ucarp, combined with haproxy should achieve 
what I'm after.  Given two client facing IPs, I'm thinking two instances 
of HAProxy+ucarp, each handling one IP.  Giving me active/active.  
HAProxy can hand off the connections to N+1 DP, the number of those 
would be based on redundancy plus load, thus my minimum would be 3.


Brainstorming your situation Install HAProxy (or similar) in each 
data center. Then use dovecot director to route users to the store they 
happen to be using.  In other words if the first connection from userA 
comes into data center 1 then it gets sent to MS1 in the same data 
center.  Their next connection comes into data center 2 (thinking mobile 
device vs their desktop), the dovecot director there would route the 
connection over to ms1 in data center 1.  Not that network efficient, 
but it might achieve what you want given your constraints too.



-Chad

Re: dovecot proxy/director and high availability design

[Marcus Rueckert]

On Tue, 21 Jul 2015 12:00:39 -0700
James Lott ja...@lottspot.com wrote:

 I think RR DNS is the only viable solution under these circumstances.
 If you can cope with the fact that failovers won't be seamless, I
 don't think there's anything wrong with that though.
 
 On 07/21/2015 11:54 AM, Laz C. Peterson wrote:
  The consensus seems to say no to RR DNS … I am going to take that
  into serious consideration.
 
  With this proxy setup you describe, what would happen if HAProxy or
  Dovecot Proxy were to fail?
 
  I think there is no problem with many moving parts, as long as
  there is a backup plan in case something goes awry.  My goal is
  slightly different, as I want to have HA available across
  datacenters without using BGP or having control over the IP space
  (so, no anycast).  Just a simple way to get the clients redirected
  to the other Dovecot server when I lose an entire datacenter
  network for whatever reason.

you dont need DNS RR for that. just plain DNS entries with a very short
TTL.

darix

-- 
  openSUSE - SUSE Linux is my linux
  openSUSE is good for you
  www.opensuse.org

Re: dovecot proxy/director and high availability design

[James Lott]

Right.. I stand corrected

On 07/21/2015 12:37 PM, Marcus Rueckert wrote:

On Tue, 21 Jul 2015 12:00:39 -0700
James Lott ja...@lottspot.com wrote:


I think RR DNS is the only viable solution under these circumstances.
If you can cope with the fact that failovers won't be seamless, I
don't think there's anything wrong with that though.

On 07/21/2015 11:54 AM, Laz C. Peterson wrote:

The consensus seems to say no to RR DNS … I am going to take that
into serious consideration.

With this proxy setup you describe, what would happen if HAProxy or
Dovecot Proxy were to fail?

I think there is no problem with many moving parts, as long as
there is a backup plan in case something goes awry.  My goal is
slightly different, as I want to have HA available across
datacenters without using BGP or having control over the IP space
(so, no anycast).  Just a simple way to get the clients redirected
to the other Dovecot server when I lose an entire datacenter
network for whatever reason.

you dont need DNS RR for that. just plain DNS entries with a very short
TTL.

 darix

Re: dovecot proxy/director and high availability design

[Laz C. Peterson]

The consensus seems to say no to RR DNS … I am going to take that into serious 
consideration.

With this proxy setup you describe, what would happen if HAProxy or Dovecot 
Proxy were to fail?

I think there is no problem with many moving parts, as long as there is a 
backup plan in case something goes awry.  My goal is slightly different, as I 
want to have HA available across datacenters without using BGP or having 
control over the IP space (so, no anycast).  Just a simple way to get the 
clients redirected to the other Dovecot server when I lose an entire datacenter 
network for whatever reason.

~ Laz Peterson
Paravis, LLC

 On Jul 20, 2015, at 5:32 PM, Chad M Stewart c...@balius.com wrote:
 
 
 Round-robin DNS last I checked can be fraught with issues.  
 
 While doing something else I came up with this idea:  Clients -- Load 
 Balancer(HAProxy) -- Dovecot Proxy(DP) -- Dovecot Director(DD) -- MS1 / 
 MS2.
 
 
 When DP checks say user100 it'll find a host=DD-POD1 that returns two IPs, 
 those of the two DD that sit in front of POD1. This DD pair is the only pair 
 in the ring and only responsible for POD1.  Another pair will handle POD2.  
 When DD looks up the host value for a user it'll find the same name, but the 
 IPs returned will be different.  Instead have both IPs of the mail stores 
 returned.  
 
 I believe this will achieve what I'm after.  HAProxy will do the load 
 balancing of the DP instances.  DP will balance the DDs, and DDs will do its 
 job well and ensure that say user300 has all of their connections sent to 
 MS1.  When I need to do maintenance on MS1 I can use the DD pair for POD1 to 
 gently move the connections to MS2, etc..   I could also make each POD a 2+1 
 cluster, so a silent but up-to-date and replicated store sits there waiting 
 should it be needed, or even a 2+2 cluster.  After all two is one, and one 
 is none.
 
 Not sure when I'll get time to implement/test this out, but in theory it 
 sounds reasonable. I admit its a fair amount of moving parts and areas for 
 failure but I think it maybe the balance needed to achieve the service level 
 availability I'm after while still allowing for maintenance on the systems 
 w/o clients noticing.
 
 -Chad
 
 
 On Jul 20, 2015, at 1:04 PM, Laz C. Peterson l...@paravis.net wrote:
 
 I’m trying to do this too.  But the goal would be simply for automatic 
 failover to the other datacenter.  Everything is working if the server’s 
 unique hostname is entered, but I want to do something like round robin DNS 
 that mail clients will automatically attempt to connect to the other IP if 
 they cannot get to the first address.  Unfortunately mail applications don’t 
 really do this like web browsers do …
 
 ~ Laz Peterson
 Paravis, LLC
 
 On Jul 20, 2015, at 10:29 AM, Chad M Stewart c...@balius.com wrote:
 
 
 I'm trying to determine which dovecot components to use and how to order 
 them in the network path from client to mail store.
 
 
 If I have say 1,000 users, all stored in MySQL (or LDAP) and have 4 mail 
 stores, configured into 2, 2 node pods.
 
 
 MS1 and MS2 are pod1 and are configured with replication (dsync) and host 
 users 0-500.  MS3 and MS4 are pod2 and are configured with replication 
 between them and host users 501-1000.   Ideally the active connections in 
 pod1 would be split 50/50 between MS1 and MS2.  When maintenance is 
 performed obviously all active connections/users would be moved to the 
 other node in the pod and then rebalanced once maintenance is completed.  
 
 I'm not sure if I need to use both the proxy and director, or just one or 
 the other? If both then what is the proper path, from a network 
 perspective?  I like the functionality director provides, being able to 
 add/remove servers on the fly and adjust connections, etc.. But from what 
 I've read director needs to know about all mail servers.  The problem is 
 that not all servers host all users.  User100 could be serviced by ms1 or 
 ms2, but not by ms3 or ms4.  
 
 I'm trying to design a system that should provide as close to 99.999% 
 service availability as possible.
 
 
 
 Thank you,
 Chad

Re: dovecot proxy/director and high availability design

[Robert Schetterer]

Am 20.07.2015 um 20:04 schrieb Laz C. Peterson:
 I’m trying to do this too.  But the goal would be simply for automatic 
 failover to the other datacenter.  Everything is working if the server’s 
 unique hostname is entered, but I want to do something like round robin DNS 
 that mail clients will automatically attempt to connect to the other IP if 
 they cannot get to the first address.  Unfortunately mail applications don’t 
 really do this like web browsers do …

think about using loadbalancers before directors/proxies with checks, i
dont think you will goal with round robin dns etc for real world setups

 
 ~ Laz Peterson
 Paravis, LLC
 
 On Jul 20, 2015, at 10:29 AM, Chad M Stewart c...@balius.com wrote:


 I'm trying to determine which dovecot components to use and how to order 
 them in the network path from client to mail store.


 If I have say 1,000 users, all stored in MySQL (or LDAP) and have 4 mail 
 stores, configured into 2, 2 node pods.


 MS1 and MS2 are pod1 and are configured with replication (dsync) and host 
 users 0-500.  MS3 and MS4 are pod2 and are configured with replication 
 between them and host users 501-1000.   Ideally the active connections in 
 pod1 would be split 50/50 between MS1 and MS2.  When maintenance is 
 performed obviously all active connections/users would be moved to the other 
 node in the pod and then rebalanced once maintenance is completed.  

 I'm not sure if I need to use both the proxy and director, or just one or 
 the other? If both then what is the proper path, from a network perspective? 
  I like the functionality director provides, being able to add/remove 
 servers on the fly and adjust connections, etc.. But from what I've read 
 director needs to know about all mail servers.  The problem is that not all 
 servers host all users.  User100 could be serviced by ms1 or ms2, but not by 
 ms3 or ms4.  

 I'm trying to design a system that should provide as close to 99.999% 
 service availability as possible.



 Thank you,
 Chad



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: dovecot proxy/director and high availability design

[Laz C. Peterson]

I’m trying to do this too.  But the goal would be simply for automatic failover 
to the other datacenter.  Everything is working if the server’s unique hostname 
is entered, but I want to do something like round robin DNS that mail clients 
will automatically attempt to connect to the other IP if they cannot get to the 
first address.  Unfortunately mail applications don’t really do this like web 
browsers do …

~ Laz Peterson
Paravis, LLC

 On Jul 20, 2015, at 10:29 AM, Chad M Stewart c...@balius.com wrote:
 
 
 I'm trying to determine which dovecot components to use and how to order them 
 in the network path from client to mail store.
 
 
 If I have say 1,000 users, all stored in MySQL (or LDAP) and have 4 mail 
 stores, configured into 2, 2 node pods.
 
 
 MS1 and MS2 are pod1 and are configured with replication (dsync) and host 
 users 0-500.  MS3 and MS4 are pod2 and are configured with replication 
 between them and host users 501-1000.   Ideally the active connections in 
 pod1 would be split 50/50 between MS1 and MS2.  When maintenance is performed 
 obviously all active connections/users would be moved to the other node in 
 the pod and then rebalanced once maintenance is completed.  
 
 I'm not sure if I need to use both the proxy and director, or just one or the 
 other? If both then what is the proper path, from a network perspective?  I 
 like the functionality director provides, being able to add/remove servers on 
 the fly and adjust connections, etc.. But from what I've read director needs 
 to know about all mail servers.  The problem is that not all servers host all 
 users.  User100 could be serviced by ms1 or ms2, but not by ms3 or ms4.  
 
 I'm trying to design a system that should provide as close to 99.999% service 
 availability as possible.
 
 
 
 Thank you,
 Chad

dovecot proxy/director and high availability design

[Chad M Stewart]

I'm trying to determine which dovecot components to use and how to order them 
in the network path from client to mail store.


If I have say 1,000 users, all stored in MySQL (or LDAP) and have 4 mail 
stores, configured into 2, 2 node pods.


MS1 and MS2 are pod1 and are configured with replication (dsync) and host users 
0-500.  MS3 and MS4 are pod2 and are configured with replication between them 
and host users 501-1000.   Ideally the active connections in pod1 would be 
split 50/50 between MS1 and MS2.  When maintenance is performed obviously all 
active connections/users would be moved to the other node in the pod and then 
rebalanced once maintenance is completed.  

I'm not sure if I need to use both the proxy and director, or just one or the 
other? If both then what is the proper path, from a network perspective?  I 
like the functionality director provides, being able to add/remove servers on 
the fly and adjust connections, etc.. But from what I've read director needs to 
know about all mail servers.  The problem is that not all servers host all 
users.  User100 could be serviced by ms1 or ms2, but not by ms3 or ms4.  

I'm trying to design a system that should provide as close to 99.999% service 
availability as possible.



Thank you,
Chad

Re: dovecot proxy/director and high availability design

[Chad M Stewart]

Round-robin DNS last I checked can be fraught with issues.  

While doing something else I came up with this idea:  Clients -- Load 
Balancer(HAProxy) -- Dovecot Proxy(DP) -- Dovecot Director(DD) -- MS1 / MS2.


When DP checks say user100 it'll find a host=DD-POD1 that returns two IPs, 
those of the two DD that sit in front of POD1. This DD pair is the only pair in 
the ring and only responsible for POD1.  Another pair will handle POD2.  When 
DD looks up the host value for a user it'll find the same name, but the IPs 
returned will be different.  Instead have both IPs of the mail stores returned. 
 

I believe this will achieve what I'm after.  HAProxy will do the load balancing 
of the DP instances.  DP will balance the DDs, and DDs will do its job well and 
ensure that say user300 has all of their connections sent to MS1.  When I need 
to do maintenance on MS1 I can use the DD pair for POD1 to gently move the 
connections to MS2, etc..   I could also make each POD a 2+1 cluster, so a 
silent but up-to-date and replicated store sits there waiting should it be 
needed, or even a 2+2 cluster.  After all two is one, and one is none.

Not sure when I'll get time to implement/test this out, but in theory it sounds 
reasonable. I admit its a fair amount of moving parts and areas for failure but 
I think it maybe the balance needed to achieve the service level availability 
I'm after while still allowing for maintenance on the systems w/o clients 
noticing.

-Chad


On Jul 20, 2015, at 1:04 PM, Laz C. Peterson l...@paravis.net wrote:

 I’m trying to do this too.  But the goal would be simply for automatic 
 failover to the other datacenter.  Everything is working if the server’s 
 unique hostname is entered, but I want to do something like round robin DNS 
 that mail clients will automatically attempt to connect to the other IP if 
 they cannot get to the first address.  Unfortunately mail applications don’t 
 really do this like web browsers do …
 
 ~ Laz Peterson
 Paravis, LLC
 
 On Jul 20, 2015, at 10:29 AM, Chad M Stewart c...@balius.com wrote:
 
 
 I'm trying to determine which dovecot components to use and how to order 
 them in the network path from client to mail store.
 
 
 If I have say 1,000 users, all stored in MySQL (or LDAP) and have 4 mail 
 stores, configured into 2, 2 node pods.
 
 
 MS1 and MS2 are pod1 and are configured with replication (dsync) and host 
 users 0-500.  MS3 and MS4 are pod2 and are configured with replication 
 between them and host users 501-1000.   Ideally the active connections in 
 pod1 would be split 50/50 between MS1 and MS2.  When maintenance is 
 performed obviously all active connections/users would be moved to the other 
 node in the pod and then rebalanced once maintenance is completed.  
 
 I'm not sure if I need to use both the proxy and director, or just one or 
 the other? If both then what is the proper path, from a network perspective? 
  I like the functionality director provides, being able to add/remove 
 servers on the fly and adjust connections, etc.. But from what I've read 
 director needs to know about all mail servers.  The problem is that not all 
 servers host all users.  User100 could be serviced by ms1 or ms2, but not by 
 ms3 or ms4.  
 
 I'm trying to design a system that should provide as close to 99.999% 
 service availability as possible.
 
 
 
 Thank you,
 Chad

dovecot-proxy with managesieve, director and backend dovecot imap

[George Vieira]

hi all,

I've been tasked to add sieve/managesieve to an existing dovecot cluster 
running 2.1.7 on debian wheezy which is made up of 2 dovecot-proxy hosts 
as directors and some back end dovecot imap hosts all running the same 
version.


My problem is that I thought to put the service on the director/proxy 
hosts since they wouldn't have too much load on it, but when I do I get 
the following error:


Apr 28 11:00:28 master: Info: Dovecot v2.1.7 starting up (core dumps 
disabled)
Apr 28 11:00:28 config: Warning: service auth { client_limit=5 } is 
lower than required under max. load (6)
Apr 28 11:00:34 managesieve-login: Error: proxy: host not given: 
user=mailchan...@mydomain.net, method=PLAIN, rip=192.168.100.207, 
lip=192.168.100.119, TLS, session=3/zPY74UOgDAqGTP
Apr 28 11:00:34 managesieve-login: Info: Aborted login (internal 
failure, 1 succesful auths): user=mailchan...@mydomain.net, 
method=PLAIN, rip=192.168.100.207, lip=192.168.100.119, TLS, 
session=3/zPY74UOgDAqGTP


From searching around, only ever saw 1 result which was to add 
executable =  managesieve-login director to the managesieve service, 
but this made no difference at all and the error is the same.


So I tried to instead use the back end imap servers, but they throw 
errors expecting the users password to be the common proxy/director 
password as below:

passdb {
   driver = static
   args = user=%u password=crypticpasswordagain
}

Apr 28 12:03:37 auth: Debug: 
static(mailchan...@mydomain.net,192.168.100.207,17RTRb8UpADAqGTP): lookup
Apr 28 12:03:37 auth: Info: 
static(mailchan...@mydomain.net,192.168.100.207,17RTRb8UpADAqGTP): 
Password mismatch
Apr 28 12:03:37 auth: Debug: 
static(mailchan...@mydomain.net,192.168.100.207,17RTRb8UpADAqGTP): 
PLAIN(85387v92394jks) != 'crypticpasswordagain'
Apr 28 12:03:39 auth: Debug: client out: FAIL   1 
user=mailchan...@mydomain.net


So with configs below, how is it best to run managesieve that takes the 
correct login/password without directing to the cluster (or direct if 
it's easier but must use real user password)?


-- dovecot proxy config --

# dovecot version 2.1.7

instance_name= dovecot-proxy
protocols= imap pop3 lmtp sieve
mail_location= maildir:~/
#listen= 192.168.101.119
listen= 0.0.0.0
#= dovecot-proxy-1
director_servers= 192.168.101.119
#= dovecot-shared-7
director_mail_servers= 192.168.100.101
base_dir= /var/run/dovecot-proxy
login_greeting= Welcome to IMAP.
default_internal_user= webmail

lmtp_proxy = yes

disable_plaintext_auth = no

auth_mechanisms = plain login cram-md5

auth_verbose=yes
auth_debug=yes
auth_debug_passwords=yes
mail_debug=yes
verbose_ssl=yes
auth_verbose_passwords=no

#log_path = syslog
log_path = /var/log/dovecot.log

default_process_limit = 1
default_client_limit = 5

ssl = no
ssl_cert = /etc/ssl/private/dovecot.pem
ssl_key = /etc/ssl/private/dovecot.pem

director_user_expire = 15 min

doveadm_proxy_port = 9292
doveadm_password = somecrypticpassword

auth_worker_max_count = 90

passdb {
  driver = ldap
  args = /etc/dovecot/dovecot-proxy-ldap.conf.ext
}

passdb {
driver = checkpassword
args = /etc/dovecot/checkpassword_migration.py
}

userdb {
driver = prefetch
}

userdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext
}

service director {
  unix_listener login/director {
mode = 0666
  }
  fifo_listener login/proxy-notify {
mode = 0666
  }
  unix_listener director-userdb {
mode = 0600
  }
  inet_listener {
port = 9191
  }
}

service imap-login {
  process_min_avail = 2
  service_count = 0
  executable = imap-login director
  inet_listener imap {
  port = 143
  }
  inet_listener imaps {
port = 993
ssl = yes
  }
}

service pop3-login {
  process_min_avail = 2
  service_count = 0
  executable = pop3-login director
  inet_listener pop3 {
port = 110
  }
  inet_listener pop3s {
port = 995
ssl = yes
  }
}

service imap {
  process_min_avail = 2
  process_limit = 0
  service_count = 0
}

service pop3 {
  process_min_avail = 2
  process_limit = 0
  service_count = 0
}

service lmtp {
  inet_listener lmtp {
port = 24
  }
}

service auth {
  client_limit=65000
  inet_listener {
port = 5451
  }
}

service auth-worker {
  user = webmail
}

service doveadm {
  inet_listener {
port = 9292
  }
}

protocol imap {
  mail_max_userip_connections = 10
}

protocol pop3 {
  mail_max_userip_connections = 10
}

protocol lmtp {
  auth_socket_path = director-userdb
  passdb {
driver = ldap
args = /etc/dovecot/dovecot-proxy-ldap.conf.ext
  }
}

protocol doveadm {
  auth_socket_path = director-userdb
}

plugin {
  # Used by both the Sieve plugin and the ManageSieve protocol
  sieve = file:~/sieve;active=~/.dovecot.sieve
}


-- dovecot backend config --


# dovecot version 2.1.7

protocols = imap pop3 lmtp #sieve
# OLDTEMP listen = 192.168.100.95
listen = 192.168.100.101

mail_location

Re: Dovecot Director and Dovecot proxy

[rub zorghy]

Hi Alessio,

Thank you very much for your detailed explanation.

gdrub

2014-12-01 18:28 GMT+01:00 Alessio Cecchi ales...@skye.it:


 Il 01/12/2014 17:11, rub zorghy ha scritto:

 Why Dovecot Director server isn't used to perform this without Dovecot
 proxy ? Thus, the load balancer (F5 Big-IP) can distribute requests based
 on IMAP protocol to Dovecot Director cluster.

 I think that the slide is just one example of a scenario ,very complex. In
 real world,
 unless you do not have to segment users (some users use Exchange, others
 use Dovecot, but all user use imap.corporate.com, the proxy, for login)
 you don't need a Proxy in front of Director.

 Load balancer is only for HA.

 Ciao

Dovecot Director and Dovecot proxy

[rub zorghy]

Hi,

Dovecot Director is used to keep a temporary user - Dovecot backend server
mapping. So, Director decides which backend handles each user and the user
is always redirected to the same server. All user data is stored in shared
storage (NFS).
The Dovecot presentation featured during this webinar
http://knowledgebase.open-xchange.com/fileadmin/user_upload/open-xchange/misc/webinar/2013_21_08/Dovecot_Webinar_21.08.2013.pdf
mentions (slide 7) a Dovecot proxy cluster (doing credentials and user info
lookup) behind the LB device (F5 Big-IP)

Why Dovecot Director server isn't used to perform this without Dovecot
proxy ? Thus, the load balancer (F5 Big-IP) can distribute requests based
on IMAP protocol to Dovecot Director cluster.

Thx so much.

gdrub

Re: Dovecot Director and Dovecot proxy

[Alessio Cecchi]

Il 01/12/2014 17:11, rub zorghy ha scritto:

Why Dovecot Director server isn't used to perform this without Dovecot
proxy ? Thus, the load balancer (F5 Big-IP) can distribute requests based
on IMAP protocol to Dovecot Director cluster.
I think that the slide is just one example of a scenario ,very complex. 
In real world,
unless you do not have to segment users (some users use Exchange, others 
use Dovecot, but all user use imap.corporate.com, the proxy, for login) 
you don't need a Proxy in front of Director.


Load balancer is only for HA.

Ciao

Re: Dovecot Director and Dovecot proxy

[anon_user]

On 2014-12-01 19:56, anon_u...@openmailbox.org wrote:

Il 01/12/2014 17:11, rub zorghy ha scritto:
Why Dovecot Director server isn't used to perform this without Dovecot
proxy ? Thus, the load balancer (F5 Big-IP) can distribute requests 
based

on IMAP protocol to Dovecot Director cluster.
I think that the slide is just one example of a scenario ,very
complex. In real world,
unless you do not have to segment users (some users use Exchange,
others use Dovecot, but all user use imap.corporate.com, the proxy,

for login) you don't need a Proxy in front of Director.

Load balancer is only for HA.

Ciao


Hello,

So, dovecot director can work without dovecot proxy ?

Thanks.

Difference btw. Dovecot Director and Dovecot Proxy

[Nathan Schultheiss]

Hello,

For a few days I try to understand what program (Dovecot Director or 
Dovecot Proxy) I should use for my email architecture.
We are a hospital, and for security reasons, we must host ourselves our 
emails, and we must leave Google Apps...


I wish to make a Dovecot backend for each department of the hospital.
Each backend Dovecot has a local storage.

Server 01: cardiology
Server 02: emergency
...
Server 05: administration

Dovecot looks in the database which server to use to store email (lmtp) 
and transfer the mail for storage.


I do not understand if I have to work with Dovecot Director or Proxy if 
I would that LMTP or IMAP request are forwarded to the right backend.
Each have self storage and have not access to the other backend storage 
(no nfs, no network storage, ...).


Users indicate imap.hospital.local, this point to Dovecot Director or 
Proxy and Dovecot check the login/password and forward the user to the 
right backend.
In my database I put user@hospital = storage host 172.16.2.10 = folder 
/home/vmail/user/ (Maildir)


I've read that the Director can refer the user to the same backend when 
there is a activ session (POP, IMAP, LMTP)
But can we tell him to always refer the user to the same backend (IMAP 
and LMTP) ?


I've found this picture schema who user have Dovecot Proxy = Dovecot 
Director = Dovecot Backend

And I'm confused why they have proxy + director ?!?

Can anyone tell me if I need to focus on Dovecot Director or Dovecot 
Proxy to create the architecture of this hospital ?


My question is probably stupid for Dovecot sysadmin, but I'm lost in the 
WIKI :)


Thanks in advance,

Nathan

Re: Difference btw. Dovecot Director and Dovecot Proxy

[Jiri Bourek]

On 19.7.2014 00:54, Nathan Schultheiss wrote:

Hello,

For a few days I try to understand what program (Dovecot Director or
Dovecot Proxy) I should use for my email architecture.
We are a hospital, and for security reasons, we must host ourselves our
emails, and we must leave Google Apps...


OT: great, the less customers they have, the more they'll be forced to 
play nice with other mail service providers




I wish to make a Dovecot backend for each department of the hospital.
Each backend Dovecot has a local storage.

Server 01: cardiology
Server 02: emergency
...
Server 05: administration

Dovecot looks in the database which server to use to store email (lmtp)
and transfer the mail for storage.

I do not understand if I have to work with Dovecot Director or Proxy if
I would that LMTP or IMAP request are forwarded to the right backend.
Each have self storage and have not access to the other backend storage
(no nfs, no network storage, ...).

Users indicate imap.hospital.local, this point to Dovecot Director or
Proxy and Dovecot check the login/password and forward the user to the
right backend.
In my database I put user@hospital = storage host 172.16.2.10 = folder
/home/vmail/user/ (Maildir)

I've read that the Director can refer the user to the same backend when
there is a activ session (POP, IMAP, LMTP)
But can we tell him to always refer the user to the same backend (IMAP
and LMTP) ?

I've found this picture schema who user have Dovecot Proxy = Dovecot
Director = Dovecot Backend
And I'm confused why they have proxy + director ?!?

Can anyone tell me if I need to focus on Dovecot Director or Dovecot
Proxy to create the architecture of this hospital ?

My question is probably stupid for Dovecot sysadmin, but I'm lost in the
WIKI :)

Thanks in advance,

Nathan


As for IMAP/POP3, I'd go for proxy - it's quite easy to set up if you 
have users in database, you pretty much just return 'y' as proxy field 
and storage backend's IP address as host field in password_query and 
Dovecot will do the rest.


As for LMTP - you didn't mention what MTA are you using but if it's 
Postfix, you can configure it to use database data to translate user 
name into storage IP address - then you tell it to use LMTP to deliver 
to that IP. (Not sure about other MTAs.)

Re: Difference btw. Dovecot Director and Dovecot Proxy

[Nathan Schultheiss]

Hi,

Thank for your reply.

OK, if I understand I must just read doc with Dovecot Proxy :)

Incoming mail:
Postfix (LMTP) = Dovecot Proxy Server = Dovecot Backend Server (Final server 
and storage server)

IMAP:
Dovecot Proxy Server = Dovecot Backend Server (Final server and storage server)

I can now read more doc about dovecot proxy this WE, and postfix LTMP.

Lucky that I made ​​is that a new system (no old database, old storage system, 
...).
The only compatibility is to create email accounts :D

Again thank for your clarification about Director/Proxy Dovecot.

Regards,
Nathan

- Mail original -
De: Jiri Bourek bou...@thinline.cz
À: dovecot@dovecot.org
Envoyé: Samedi 19 Juillet 2014 01:31:33
Objet: Re: Difference btw. Dovecot Director and Dovecot Proxy

On 19.7.2014 00:54, Nathan Schultheiss wrote:
 Hello,

 For a few days I try to understand what program (Dovecot Director or
 Dovecot Proxy) I should use for my email architecture.
 We are a hospital, and for security reasons, we must host ourselves our
 emails, and we must leave Google Apps...

OT: great, the less customers they have, the more they'll be forced to 
play nice with other mail service providers


 I wish to make a Dovecot backend for each department of the hospital.
 Each backend Dovecot has a local storage.

 Server 01: cardiology
 Server 02: emergency
 ...
 Server 05: administration

 Dovecot looks in the database which server to use to store email (lmtp)
 and transfer the mail for storage.

 I do not understand if I have to work with Dovecot Director or Proxy if
 I would that LMTP or IMAP request are forwarded to the right backend.
 Each have self storage and have not access to the other backend storage
 (no nfs, no network storage, ...).

 Users indicate imap.hospital.local, this point to Dovecot Director or
 Proxy and Dovecot check the login/password and forward the user to the
 right backend.
 In my database I put user@hospital = storage host 172.16.2.10 = folder
 /home/vmail/user/ (Maildir)

 I've read that the Director can refer the user to the same backend when
 there is a activ session (POP, IMAP, LMTP)
 But can we tell him to always refer the user to the same backend (IMAP
 and LMTP) ?

 I've found this picture schema who user have Dovecot Proxy = Dovecot
 Director = Dovecot Backend
 And I'm confused why they have proxy + director ?!?

 Can anyone tell me if I need to focus on Dovecot Director or Dovecot
 Proxy to create the architecture of this hospital ?

 My question is probably stupid for Dovecot sysadmin, but I'm lost in the
 WIKI :)

 Thanks in advance,

 Nathan

As for IMAP/POP3, I'd go for proxy - it's quite easy to set up if you 
have users in database, you pretty much just return 'y' as proxy field 
and storage backend's IP address as host field in password_query and 
Dovecot will do the rest.

As for LMTP - you didn't mention what MTA are you using but if it's 
Postfix, you can configure it to use database data to translate user 
name into storage IP address - then you tell it to use LMTP to deliver 
to that IP. (Not sure about other MTAs.)

Re: [Dovecot] Dovecot proxy

[Jiri Bourek]

Is it possible to use backend's passdb on the relay server in your setup?

If you are - for example - using SQL database as passdb on the backend, 
you can access it from relay server as well. Let's say you have 
relay_enabled column in the table of users, then you can use something 
like:


select ... from users where user = ... and relay_enabled = true

Users, who are not permitted access from internet, will get 
authentication failure


If your passdb can't be shared this way (unix accounts, passwd-file 
etc.), this won't work of course. Maybe you can try to play around 
allow_nets 
(http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets), 
possibly combined with login_trusted_networks on backend


The idea here is that your relay provides user's real IP and you use 
allow_nets extra field to restrict access to your internal network only. 
Not sure if this can work though, never tried.



Alex Ferrara wrote:

Hi everyone,

I have a problem that hopefully has an easy solution.

I am setting up an IMAP proxy in a DMZ network. It will connect to
the real IMAP server and authenticate using driver = imap, and this
I have working really nicely.

What I want to do is have it look up a list of users that are allowed
to connect through the proxy before proxying the connection, as not
all users with an account are permitted to access their email from
the internet. I thought that using a post-login script would get me
out of trouble, but it isn't possible in a relay configuration.



dovecot.conf

## Dovecot configuration file

mail_uid = dovecot mail_gid = dovecot

protocols = imap

listen = *, ::

passdb { driver = imap # IMAP server to authenticate against args =
host=192.168.1.1 # IMAP server to connect to for mailbox
default_fields = proxy=yes host=192.168.1.1 } userdb { driver =
prefetch }

auth_mechanisms = plain login

# This is the auth service used by Postfix to do dovecot auth.
service auth { unix_listener auth-userdb { } inet_listener { port =
12345 } }

## ## SSL settings ##

# These will need to ba adjusted to point to *your* certificates, not
mine 8-) # The ssl_ca line refers to the intermediate certificate
bundle which may or may not be required by your SSL provider

ssl_cert =/etc/ssl/certs/mail.domain.com.au.pem ssl_key
=/etc/ssl/private/mail.domain.com.au.key #ssl_ca
=/etc/pki/tls/certs/ca.crt ssl_cipher_list =
ALL:!LOW:!SSLv2:!EXP:!aNULL

Re: [Dovecot] Dovecot proxy

[Alex Ferrara]

Unfortunately, the requirement for this network is that the only pinhole 
through the firewall between the main relay and the mail server is IMAP. My 
thought was to ship a list of valid usernames to the imap relay that are 
allowed to connect, and that list would be constructed from inside the LAN and 
shipped to the DMZ via rsync.

I could set the default value of allow_nets and override it, but I am unsure 
how best to do that in my situation. Maybe if I use a passwd-file on the 
userdb, but keep the imap driver on the passdb?

aF

On 05/05/2014, at 4:24 PM, Jiri Bourek bou...@thinline.cz wrote:

 Is it possible to use backend's passdb on the relay server in your setup?
 
 If you are - for example - using SQL database as passdb on the backend, you 
 can access it from relay server as well. Let's say you have relay_enabled 
 column in the table of users, then you can use something like:
 
 select ... from users where user = ... and relay_enabled = true
 
 Users, who are not permitted access from internet, will get authentication 
 failure
 
 If your passdb can't be shared this way (unix accounts, passwd-file etc.), 
 this won't work of course. Maybe you can try to play around allow_nets 
 (http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets), possibly 
 combined with login_trusted_networks on backend
 
 The idea here is that your relay provides user's real IP and you use 
 allow_nets extra field to restrict access to your internal network only. Not 
 sure if this can work though, never tried.
 
 
 Alex Ferrara wrote:
 Hi everyone,
 
 I have a problem that hopefully has an easy solution.
 
 I am setting up an IMAP proxy in a DMZ network. It will connect to
 the real IMAP server and authenticate using driver = imap, and this
 I have working really nicely.
 
 What I want to do is have it look up a list of users that are allowed
 to connect through the proxy before proxying the connection, as not
 all users with an account are permitted to access their email from
 the internet. I thought that using a post-login script would get me
 out of trouble, but it isn't possible in a relay configuration.
 
 
 
 dovecot.conf
 
 ## Dovecot configuration file
 
 mail_uid = dovecot mail_gid = dovecot
 
 protocols = imap
 
 listen = *, ::
 
 passdb { driver = imap # IMAP server to authenticate against args =
 host=192.168.1.1 # IMAP server to connect to for mailbox
 default_fields = proxy=yes host=192.168.1.1 } userdb { driver =
 prefetch }
 
 auth_mechanisms = plain login
 
 # This is the auth service used by Postfix to do dovecot auth.
 service auth { unix_listener auth-userdb { } inet_listener { port =
 12345 } }
 
 ## ## SSL settings ##
 
 # These will need to ba adjusted to point to *your* certificates, not
 mine 8-) # The ssl_ca line refers to the intermediate certificate
 bundle which may or may not be required by your SSL provider
 
 ssl_cert =/etc/ssl/certs/mail.domain.com.au.pem ssl_key
 =/etc/ssl/private/mail.domain.com.au.key #ssl_ca
 =/etc/pki/tls/certs/ca.crt ssl_cipher_list =
 ALL:!LOW:!SSLv2:!EXP:!aNULL

[Dovecot] Dovecot proxy

[Alex Ferrara]

Hi everyone,

I have a problem that hopefully has an easy solution.

I am setting up an IMAP proxy in a DMZ network. It will connect to the real 
IMAP server and authenticate using driver = imap, and this I have working 
really nicely. 

What I want to do is have it look up a list of users that are allowed to 
connect through the proxy before proxying the connection, as not all users with 
an account are permitted to access their email from the internet. I thought 
that using a post-login script would get me out of trouble, but it isn't 
possible in a relay configuration.



dovecot.conf

## Dovecot configuration file

mail_uid = dovecot
mail_gid = dovecot

protocols = imap

listen = *, ::

passdb {
  driver = imap
  # IMAP server to authenticate against
  args = host=192.168.1.1
  # IMAP server to connect to for mailbox
  default_fields = proxy=yes host=192.168.1.1
}
userdb {
  driver = prefetch
}

auth_mechanisms = plain login

# This is the auth service used by Postfix to do dovecot auth.
service auth {
  unix_listener auth-userdb {
  }
  inet_listener {
port = 12345
  }
}

##
## SSL settings
##

# These will need to ba adjusted to point to *your* certificates, not mine 8-)
# The ssl_ca line refers to the intermediate certificate bundle which may or 
may not be required by your SSL provider

ssl_cert = /etc/ssl/certs/mail.domain.com.au.pem
ssl_key = /etc/ssl/private/mail.domain.com.au.key
#ssl_ca = /etc/pki/tls/certs/ca.crt
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

[Dovecot] Dovecot proxy and Postfix SASL

[Andreas Kasenides]

Can somebody please verify that currently (v 2.2.9) SMTP AUTH using SASL
from Postfix with Dovecot proxy is still not supported as discussed in 
these threads

(especially the first one)?

http://www.dovecot.org/list/dovecot/2012-August/067977.html
http://www.dovecot.org/list/dovecot/2011-May/059107.html

As I understand it is possible to use saslauthd to do this by using the 
remote
imap option (rimap). Such a facility is important since I am attempting 
to separate the
outward facing servers (dovecot proxy, postfix relay) that have no 
knowledge of user databases

from the backends.

thanx
Andreas

Re: [Dovecot] Dovecot proxy and Postfix SASL

[Andreas Kasenides]

To be fair on this: The main driver behind this is security and having
front end systems in a DMZ with only minimal (if any) access to the back 
end servers.
Of course saslauthd will need SOME access to the remote (back-end) IMAP 
(one IP port?).
But this can also be accomplished by having the front end Postfix 
authenticate on the
Dovecot back-end by setting it up to talk to the auth process via an 
ip-listener

ALSO on just one IP port.
Does this make sense? AM I missing something?

Andreas

On 17-12-2013 14:48, Andreas Kasenides wrote:
Can somebody please verify that currently (v 2.2.9) SMTP AUTH using 
SASL

from Postfix with Dovecot proxy is still not supported as discussed in
these threads
(especially the first one)?

http://www.dovecot.org/list/dovecot/2012-August/067977.html
http://www.dovecot.org/list/dovecot/2011-May/059107.html

As I understand it is possible to use saslauthd to do this by using the 
remote

imap option (rimap). Such a facility is important since I am
attempting to separate the
outward facing servers (dovecot proxy, postfix relay) that have no
knowledge of user databases
from the backends.

thanx
Andreas

Re: [Dovecot] proxy, userdb and passdb

[Jogi Hofmüller]

Dear Alex et al

 Did you happen to have this working? Could you share how?

So far it's not working yet.  We are currently exploring more recent
dovecot versions (2.2.9 AFAIR) but had to do some other work to keep the
mailsystem running.  Now we have more time to work on migration and will
post any useful results (or more questions, whatever comes first).

Cheers!
-- 
j.hofmüller

Optimism doesn't alter the laws of physics. - Subcommander T'Pol



signature.asc
Description: OpenPGP digital signature

Re: [Dovecot] proxy, userdb and passdb

[alexwanderley]

Hello Jogi,

Did you happen to have this working? Could you share how?

Thanks,

Alex



--
View this message in context: 
http://dovecot.2317879.n4.nabble.com/proxy-userdb-and-passdb-tp44860p45200.html
Sent from the Dovecot mailing list archive at Nabble.com.

Re: [Dovecot] proxy, userdb and passdb

[Timo Sirainen]

On 22.10.2013, at 13.13, Jogi Hofmüller j...@mur.at wrote:

 Hi Steffen,
 
 Am 2013-10-22 10:05, schrieb Steffen Kaiser:
 
 see http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
 
 Did, thanks.  The errors I mentioned in my previous post are gone. Still, 
 proxying does not work as expected.  Instead I get strange warnings:
 
  Oct 22 12:06:51 server dovecot: auth-worker(PID): Warning: userdb passwd: 
 Move templates args to override_fields setting
 
 This is the proxy-userdb file's content (I removed the UID and IP address):
 
 user:::proxy=y host=IP-ADDRESS starttls=y nopassword=y
 passdb {
  args = session=yes
  driver = pam
 }
 userdb {
  args = /etc/dovecot/proxy-userdb
  driver = passwd
 }

1) Use passwd-file, not passwd

2) userdb has no effect on proxying, it must be passdb.

If you really want to keep using PAM, you need to use Dovecot v2.2 with an 
additional passdb configuring the proxying for the users. 
http://wiki2.dovecot.org/PasswordDatabase#Passdb_settings explains more. It 
can’t be done with v2.1.

Re: [Dovecot] Dovecot proxy hooks

[Timo Sirainen]

On 14.10.2013, at 21.22, d...@getodata.ro wrote:

 I am interested in the possibility of using Dovecot IMAP/POP proxying 
 capabilities to analyze emails that are passing through and possibly modify 
 content on the fly. This subject has been discussed here [1] before.
 I have tried the mail-filter plugin [2], but the hooks it uses are only 
 called in a non-proxy setup.
 
 Is there a practical way of doing this, or plans to add such a feature?
 
 Links:
 [1]: http://dovecot.org/list/dovecot/2006-February/011704.html
 [2]: http://www.dovecot.org/patches/2.2/mail-filter.tar.gz

You can’t use the simple proxying feature for this. If you modify the mail 
content, it would require modifying quite a lot of different command outputs 
and there’s no way a proxy could do it without more or less reimplementing half 
of the IMAP server functionality. But what you could do is to use the imapc 
backend and the mail-filter.

Re: [Dovecot] proxy, userdb and passdb

[Steffen Kaiser]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Fri, 18 Oct 2013, Jogi Hofmüller wrote:


We are getting closer to the migration of our mailsystem.  Now I have a
special question.  We are successfully using

passdb {
 driver = pam
}

and that is good.  Now, how would I tell dovecot to proxy certain users
(the ones not yet migrated) to the old server?  My attempts to configure
an additional userdb failed since this seems to override the passdb setting.


see http://wiki2.dovecot.org/PasswordDatabase/ExtraFields

However, a userdb does never override passdb setting (as I understand your 
wording), because the userdb kicks in later, you should post your config.


- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBUmYx2F3r2wJMiz2NAQIOYwf/aylycKboWUL9rTep6u0wzfC+e5ZVLHec
oZSzF3Kths+dC6IOwEyCBlMuDdk+3Wol1enFzpFVonV11dJ8r55dpUcDqKEhVgS/
Jmx9B/e2+T5aHNZ/VjFxO9rLA+eVasR5g8SQqyjOxN7s71qgrxeGdLfFqt6PoZ5Y
7ZLawGee0wjDblPsG6lpxfCbnJDKF2ooqkIOQ3SQm43bHd5hBHUprJYjXdI4vbFR
I2yMNGbAbyuHgzJcPV1/W1GX1UUbFp53DUENFvg3C4Q9rxHAtzDu3JgirkRxhOQ0
qgZ0Uklmddviqp0KgVGulv0jJe0kk03hI689vfwIkddP5LwESwd4Rw==
=kIXe
-END PGP SIGNATURE-

Re: [Dovecot] proxy, userdb and passdb

[Jogi Hofmüller]

Hi Steffen,

Am 2013-10-22 10:05, schrieb Steffen Kaiser:


see http://wiki2.dovecot.org/PasswordDatabase/ExtraFields


Did, thanks.  The errors I mentioned in my previous post are gone. 
Still, proxying does not work as expected.  Instead I get strange warnings:


  Oct 22 12:06:51 server dovecot: auth-worker(PID): Warning: userdb 
passwd: Move templates args to override_fields setting


This is the proxy-userdb file's content (I removed the UID and IP address):

user:::proxy=y host=IP-ADDRESS starttls=y nopassword=y


However, a userdb does never override passdb setting (as I understand
your wording), because the userdb kicks in later, you should post your
config.


Here it comes:

# 2.1.17: /etc/dovecot/dovecot.conf
# OS: Linux 3.10-3-amd64 x86_64 Debian jessie/sid
mail_location = maildir:~/Maildir
mail_plugins = acl
namespace {
  list = children
  location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
  prefix = shared/%%u/
  subscriptions = no
  type = shared
}
namespace inbox {
  hidden = yes
  inbox = yes
  list = no
  location =
  mailbox Drafts {
auto = subscribe
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
auto = subscribe
special_use = \Sent
  }
  mailbox Sent Messages {
auto = subscribe
special_use = \Sent
  }
  mailbox Trash {
auto = subscribe
special_use = \Trash
  }
  prefix =
  subscriptions = yes
  type = private
}
passdb {
  args = session=yes
  driver = pam
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
protocols =  imap lmtp pop3
ssl_cert = /etc/dovecot/dovecot.pem
ssl_key = /etc/dovecot/private/dovecot.pem
userdb {
  args = /etc/dovecot/proxy-userdb
  driver = passwd
}
protocol imap {
  mail_plugins = acl autocreate imap_acl
}

Thanks for any hints/suggestions!
--
j.hofmüller

mur.sat -- a space art projecthttp://sat.mur.at/

[Dovecot] proxy, userdb and passdb

[Jogi Hofmüller]

Dear all,

We are getting closer to the migration of our mailsystem.  Now I have a
special question.  We are successfully using

passdb {
  driver = pam
}

and that is good.  Now, how would I tell dovecot to proxy certain users
(the ones not yet migrated) to the old server?  My attempts to configure
an additional userdb failed since this seems to override the passdb setting.

Grateful for any hints!

Cheers,
-- 
j.hofmüller

Optimism doesn't alter the laws of physics. - Subcommander T'Pol



signature.asc
Description: OpenPGP digital signature

[Dovecot] Dovecot proxy hooks

[dac]

I am interested in the possibility of using Dovecot IMAP/POP proxying 
capabilities to analyze emails that are passing through and possibly 
modify content on the fly. This subject has been discussed here [1] 
before.
I have tried the mail-filter plugin [2], but the hooks it uses are only 
called in a non-proxy setup.


Is there a practical way of doing this, or plans to add such a feature?

Links:
[1]: http://dovecot.org/list/dovecot/2006-February/011704.html
[2]: http://www.dovecot.org/patches/2.2/mail-filter.tar.gz

[Dovecot] Proxy to gmail not working

[Alex Wanderley]

Hi,

I've been trying to build a password forwarding proxy to Gmail without
success... The SSL connection to Dovecot is happening no problem (as far as
I can tell), but for some reason the conversation between Dovecot and Gmail
is getting timed out.

I know this is supposed to be simple...  :-(But could somebody please
give me some help by pointing what I'm not doing right?
No matter how much I've been researching about this, I can't find the
solution.

Thanks a lot,

Alex

# 2.2.5: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-308.8.2.el5xen x86_64 CentOS release 5.8 (Final)
auth_cache_negative_ttl = 10 mins
auth_cache_size = 1 k
auth_cache_ttl = 10 mins
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = cram-md5 digest-md5 apop login plain
auth_username_chars =
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@%
auth_username_translation =
%@AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz
auth_verbose = yes
base_dir = /var/run/dovecot/
listen = 162.106.yyy.zzz
login_greeting = Dovecot Ready
login_log_format_elements = %u %r %m %c
mail_debug = yes
mail_max_userip_connections = 100
passdb {
  args = proxy=y nopassword=y user=remotemail destuser=remotemail@gmail.comhost=
pop.gmail.com port=995 proxy_timeout=15 starttls=y
  driver = static
}
protocols = pop3
service pop3-login {
  client_limit = 200
  inet_listener pop3 {
address = dserver
port = 110
  }
  process_limit = 1
  process_min_avail = 1
  service_count = 0
  vsz_limit = 256 M
}
ssl = required
ssl_ca = /etc/pki/tls/certs/ca-bundle.crt
ssl_cert = /etc/pki/dovecot/certs/dovecot.pem
ssl_cipher_list =
EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:HIGH:!aNULL:!eNULL:!EXP:!MD5:!LOW:!SSLv2
ssl_client_cert = /etc/pki/dovecot/certs/dovecot.pem
ssl_client_key = /etc/pki/dovecot/private/dovecot.pem
ssl_key = /etc/pki/dovecot/private/dovecot.pem
userdb {
  args = static uid=1 gid=1 home=/dev/null
  driver = static
}
verbose_ssl = yes
version_ignore = yes



Oct  7 09:32:51 dserver dovecot: pop3-login: Debug: SSL: where=0x10, ret=1:
before/accept initialization [162.106.xxx.yyy]
Oct  7 09:32:51 dserver dovecot: pop3-login: Debug: SSL: where=0x2001,
ret=1: before/accept initialization [162.106.xxx.yyy]
Oct  7 09:32:51 dserver dovecot: pop3-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 read client hello A [162.106.xxx.yyy]
Oct  7 09:32:51 dserver dovecot: pop3-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 write server hello A [162.106.xxx.yyy]
Oct  7 09:32:51 dserver dovecot: pop3-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 write certificate A [162.106.xxx.yyy]
Oct  7 09:32:51 dserver dovecot: pop3-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 write key exchange A [162.106.xxx.yyy]
Oct  7 09:32:51 dserver dovecot: pop3-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 write server done A [162.106.xxx.yyy]
Oct  7 09:32:51 dserver dovecot: pop3-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 flush data [162.106.xxx.yyy]
Oct  7 09:32:51 dserver dovecot: pop3-login: Debug: SSL: where=0x2002,
ret=-1: SSLv3 read client certificate A [162.106.xxx.yyy]
Oct  7 09:32:51 dserver dovecot: pop3-login: Debug: SSL: where=0x2002,
ret=-1: SSLv3 read client certificate A [162.106.xxx.yyy]
Oct  7 09:32:51 dserver dovecot: auth: Debug: Loading modules from
directory: /usr/lib64/dovecot/auth
Oct  7 09:32:51 dserver dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_mysql.so
Oct  7 09:32:51 dserver dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_pgsql.so
Oct  7 09:32:51 dserver dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Oct  7 09:32:51 dserver dovecot: auth: Debug: Read auth token secret from
/var/run/dovecot//auth-token-secret.dat
Oct  7 09:32:51 dserver dovecot: auth: Debug: auth client connected
(pid=25878)
Oct  7 09:32:51 dserver dovecot: pop3-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 read client key exchange A [162.106.xxx.yyy]
Oct  7 09:32:51 dserver dovecot: pop3-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 read finished A [162.106.xxx.yyy]
Oct  7 09:32:51 dserver dovecot: pop3-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 write change cipher spec A [162.106.xxx.yyy]
Oct  7 09:32:51 dserver dovecot: pop3-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 write finished A [162.106.xxx.yyy]
Oct  7 09:32:51 dserver dovecot: pop3-login: Debug: SSL: where=0x2001,
ret=1: SSLv3 flush data [162.106.xxx.yyy]
Oct  7 09:32:51 dserver dovecot: pop3-login: Debug: SSL: where=0x20, ret=1:
SSL negotiation finished successfully [162.106.xxx.yyy]
Oct  7 09:32:51 dserver dovecot: pop3-login: Debug: SSL: where=0x2002,
ret=1: SSL negotiation finished successfully [162.106.xxx.yyy]
Oct  7 09:33:13 dserver dovecot: auth: Debug: client in: AUTH  2
PLAIN   service=pop3secured session=oePRXijoMQCiat/X
lip=162.106.yyy.zzz rip=162.106.xxx.yyy lport=995   rport=502
25 resp=AHNtYXJ0YnVzZWRtAHMwbWV0aGluZw== (previous 

Re: [Dovecot] Proxy to gmail not working

[Charles Marcus]

On 2013-10-07 12:11 PM, Alex Wanderley alex.wander...@edmonton.ca wrote:

# OS: Linux 2.6.18-308.8.2.el5xen x86_64 CentOS release 5.8 (Final)


Aaaack!

Makes me wonder what vancient version of openssl, and maybe that is the 
culprit?

Re: [Dovecot] Proxy to gmail not working

[Reindl Harald]

Am 07.10.2013 18:37, schrieb Charles Marcus:
 On 2013-10-07 12:11 PM, Alex Wanderley alex.wander...@edmonton.ca wrote:
 # OS: Linux 2.6.18-308.8.2.el5xen x86_64 CentOS release 5.8 (Final)
 
 Aaaack!
 
 Makes me wonder what vancient version of openssl, and maybe that is the 
 culprit?

openssl-0.9.8e - so what - better read more than 1 line before answer

Port 995 *is not* STARTTLS and *that* is the reason

http://en.wikipedia.org/wiki/STARTTLS
STARTTLS is *always* the default port and starts unecrypted
while POP3S/IMAPS starts with a SSL handshake

 passdb {
  args = proxy=y nopassword=y user=remotemail 
 destuser=remotemail@gmail.comhost=
 pop.gmail.com port=995 proxy_timeout=15 starttls=y
  driver = static
 }



signature.asc
Description: OpenPGP digital signature

Re: [Dovecot] Proxy to gmail not working

[Joseph Tam]

On Mon, 7 Oct 2013, Alex Wanderley writes:


passdb {
 args = proxy=y nopassword=y user=remotemail destuser=remotemail@gmail.comhost=
pop.gmail.com port=995 proxy_timeout=15 starttls=y
 driver = static
}
...
Oct  7 09:33:13 dserver dovecot: auth: Debug: client passdb out: OK
2   user=remotemailproxy   nopassword=ydestuser=
remotem...@gmail.comhost=pop.gmail.com  port=995proxy
_timeout=15starttls=y  hostip=74.125.142.108   pass=123456789
Oct  7 09:33:13 dserver dovecot: pop3-login: Debug: Ignoring unknown passdb
extra field: nopassword
Oct  7 09:33:28 dserver dovecot: pop3-login: Error: proxy(remotemail):
Login for pop.gmail.com:995 timed out in state=0 (after 15 secs,
local=162.106.yyy.zzz:59282)


Idle speculation, but remote port 995 usually means SSL type connection
(i.e. dive right into SSL protocol), whereas starttls=y starts out in
plaintext, and SSL negotiations starts after a STARTTLS directive.

Looking at

http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy

methinks you want to replace starttls=y with ssl=yes.

Joseph Tam jtam.h...@gmail.com

[Dovecot] Proxy to gmail help

[Alex Wanderley]

Hello,

I understand the matter of using Dovecot as a forward proxy to Gmail is
very popular (and even trivial), but my lack of Dovecot experience took me
to at point where I truly need your help...

I'm starting my task by trying to have something simple, where I can test
connectivity to Gmail by sending a telnet to our Dovecot server.

The Dovecot server accepts the telnet request, but for some reason (and
here I guess is something related to SSL/TLS), I can't get to Gmail.

Here my configuration and logs/outputs:

== OS:
  * I'm using an old Centos 5.8 server as a proof of concept.
#
== Dovecot configuration:
# 2.2.5: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.18-308.8.2.el5xen x86_64 CentOS release 5.8 (Final)
auth_cache_negative_ttl = 10 mins
auth_cache_size = 1 k
auth_cache_ttl = 10 mins
auth_debug = yes
auth_debug_passwords = yes
auth_mechanisms = cram-md5 digest-md5 apop login plain
auth_username_chars =
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@%
auth_username_translation =
%@AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz
auth_verbose = yes
base_dir = /var/run/dovecot/
disable_plaintext_auth = no
listen = XXX.XXX.XXX.XXX
login_greeting = Dovecot Ready
login_log_format_elements = %u %r %m %c
mail_debug = yes
mail_max_userip_connections = 100
passdb {
  args = /etc/dovecot/sql.conf
  driver = sql
}
protocols = pop3
service pop3-login {
  client_limit = 200
  inet_listener pop3 {
address = dovecotserver.full domain
port = 110
  }
  process_limit = 1
  process_min_avail = 1
  service_count = 0
  vsz_limit = 256 M
}
shutdown_clients = no
ssl_ca = /etc/pki/dovecot/certs/dovecot.pem
ssl_cert = /etc/pki/dovecot/certs/dovecot.pem
ssl_cipher_list =
EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:HIGH:!aNULL:!eNULL:!EXP:!MD5:!LOW:!SSLv2
ssl_key = /etc/pki/dovecot/private/dovecot.pem
userdb {
  args = static uid=1 gid=1 home=/dev/null
  driver = static
}
verbose_ssl = yes
version_ignore = yes
#
== sql.conf file
driver = mysql
connect = host=/var/lib/mysql/mysql.sock dbname=mysql user=root
password=xx
password_query = SELECT NULL AS password, host, destuser, proxy, 'Y' AS
starttls, '995' AS port, 'Y' AS nopassword FROM DovecotProxy WHERE user =
'%u'
#
== DovecotProxy table
mysql select * from DovecotProxy where user = 'MYUSER';
+-+---+---++---+
| user| host  | destuser  |
password   | proxy |
+-+---+---++---+
| MYUSER | pop.gmail.com | myu...@gmail.com | {MD5-CRYPT}$1$L824LVh4$r.hyZ
icsE5tmGaeJrY/dw/ | Y |
+-+---+---++---+

## I understand proxy and password are not required there. That
happened for testing.
#
== Telnet session:
xx [/tmp]  telnet dovecotserver 110
Trying XXX.XXX.XXX.XXX...
Connected to dovecotserver.
Escape character is '^]'.
+OK Dovecot Ready 6111.1.524dad13.VYOVkhqfe1Ox7Wz+VfogMg==@dovecotserver
user MYUSER
+OK
pass PASSWD
-ERR Account is temporarily unavailable.
quit
+OK Logging out
Connection to dovecotserver closed by foreign host.
#
== Logged messages in /var/log/mailllog:
Oct  3 12:23:02 dovecotserver dovecot: master: Warning: Killed with signal
15 (by pid=26790 uid=0 code=kill)
Oct  3 12:23:53 dovecotserver dovecot: master: Dovecot v2.2.5 starting up
(core dumps disabled)
Oct  3 12:23:53 dovecotserver dovecot: auth: Debug: Loading modules from
directory: /usr/lib64/dovecot/auth
Oct  3 12:23:53 dovecotserver dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_mysql.so
Oct  3 12:23:53 dovecotserver dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_pgsql.so
Oct  3 12:23:53 dovecotserver dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Oct  3 12:23:53 dovecotserver dovecot: auth: Debug: Read auth token secret
from /var/run/dovecot//auth-token-secret.dat
Oct  3 12:23:53 dovecotserver dovecot: auth: Debug: auth client connected
(pid=26810)
Oct  3 12:24:30 dovecotserver dovecot: auth: Debug: client in: AUTH
1   PLAIN   service=pop3session=/IH8S9rnzACiat/X
lip=162.106.XXX.YYY  rip=162.106.XXX.ZZZ lport=110
rport=37836 resp=AHNtYXJ0YnVzZWRtAHMwbWV0aGluZw== (previous base64 data
may contain sensitive data)
Oct  3 12:24:30 dovecotserver dovecot: auth: Debug:
cache(MYUSER,162.106.223.215,/IH8S9rnzACiat/X): miss
Oct  3 12:24:30 dovecotserver dovecot: auth-worker(26823): 

Re: [Dovecot] proxy: can I use the password returned from passdb to log in to the back-end?

[Justin McAleer]

On Fri, Sep 27, 2013 at 11:28 AM, Timo Sirainen t...@iki.fi wrote:

 On 27.9.2013, at 16.57, Justin McAleer jus...@neonova.net wrote:

  I am hoping to support encrypted passwords, which I know is generally not
  allowed in a proxy setup. However, I can return the password in
 clear-text
  out of the password database, so I was hoping for something similar to
 the
  destuser field.

 The pass extra field is used by proxy to connect to the remote server.
 So if you can manage to return the plaintext password in that field, it'll
 work.


Excellent! That worked as promised. Thank you.

[Dovecot] proxy: can I use the password returned from passdb to log in to the back-end?

[Justin McAleer]

I am hoping to support encrypted passwords, which I know is generally not
allowed in a proxy setup. However, I can return the password in clear-text
out of the password database, so I was hoping for something similar to the
destuser field.

I have successfully used the master password functionality to support
encrypted passwords (users impersonating themselves), as long as the
back-end server supports that. However, I need to proxy POP3 to Gmail,
which does not.

Re: [Dovecot] proxy: can I use the password returned from passdb to log in to the back-end?

[Timo Sirainen]

On 27.9.2013, at 16.57, Justin McAleer jus...@neonova.net wrote:

 I am hoping to support encrypted passwords, which I know is generally not
 allowed in a proxy setup. However, I can return the password in clear-text
 out of the password database, so I was hoping for something similar to the
 destuser field.

The pass extra field is used by proxy to connect to the remote server. So if 
you can manage to return the plaintext password in that field, it'll work.

Re: [Dovecot] proxy: get rid of redundant log-informations

[Reindl Harald]

Hi

Am 22.09.2013 03:13, schrieb Reindl Harald:
 Am 22.09.2013 02:20, schrieb Timo Sirainen:
 %$ is the status, so you're asking for another status variable. Something 
 like in the attached patch, where you can replace %$ with %{login_status}?
 
 *exactly* that's it - many thanks!
 
 %{login_status} - ab[2].value = client-login_success ? OK : Failed;
 in case of deeper debugging one can always set %$ temporary
 
 when we can get rid of TLSv1 with cipher and only have the cipher the log 
 would become
 really tiny and easy to follow without too much linebreaking - not to forget 
 the logsize
 in case of a lot of POP3 users every few minutes

nearly perfect
___

2.2.6 with the patch:

Sep 25 12:22:26 testserver dovecot: pop3-login: OK: p...@testserver.rhsoft.net, 
91.118.73.100, DIGEST-MD5, TLSv1
with cipher RC4-SHA (128/128 bits)
Sep 25 12:22:26 testserver dovecot: pop3-login: OK: p...@testserver.rhsoft.net, 
91.118.73.100, DIGEST-MD5, TLSv1
with cipher RC4-SHA (128/128 bits)
___

my dream:

Sep 25 12:22:26 testserver dovecot: pop3-login: OK: p...@testserver.rhsoft.net, 
91.118.73.100, DIGEST-MD5, RC4-SHA
(128/128 bits)
Sep 25 12:22:26 testserver dovecot: pop3-login: OK (disconnecting): 
p...@testserver.rhsoft.net, 91.118.73.100,
DIGEST-MD5, RC4-SHA (128/128 bits)
___

would allow rsyslog to skip the disconnect lines in case of OK and shorten the 
cipher output

:msg, contains, OK (disconnecting) ~
diff -r d400c1a673cf src/login-common/client-common.c
--- a/src/login-common/client-common.c  Sun Sep 22 03:17:12 2013 +0300
+++ b/src/login-common/client-common.c  Sun Sep 22 03:17:44 2013 +0300
@@ -561,9 +561,10 @@
 static const char *
 client_get_log_str(struct client *client, const char *msg)
 {
-   static struct var_expand_table static_tab[3] = {
+   static struct var_expand_table static_tab[] = {
{ 's', NULL, NULL },
{ '$', NULL, NULL },
+   { '\0', NULL, login_status },
{ '\0', NULL, NULL }
};
const struct var_expand_table *var_expand_table;
@@ -603,6 +604,7 @@
 
tab[0].value = t_strdup(str_c(str));
tab[1].value = msg;
+   tab[2].value = client-login_success ? OK : Failed;
str_truncate(str, 0);
 
var_expand(str, client-set-login_log_format, tab);


signature.asc
Description: OpenPGP digital signature

Re: [Dovecot] Problem getting a dovecot proxy to connect to another dovecot machine via STARTTLS

[Arnoud van Heuvelen]

I've solved the issue by setting ssl to 'any-cert' and starttls to NULL.
This does a proper SSL request to the node.

I still don't understand why Dovecot does a non-SSL request on an SSL port
whenever I enable starttls, but I'm happy using normal SSL.

Regards,

Re: [Dovecot] proxy: get rid of redundant log-informations

[Timo Sirainen]

On 14.8.2013, at 17.37, Reindl Harald h.rei...@thelounge.net wrote:

 login_log_format_elements = user=%u method=%m rip=%r %k
 
 is it possible to get rid of the proxy(t...@testserver.rhsoft.net): started 
 proxying to 127.0.0.1:143:  part
 because on a proxy-only server i know that and it is explicitly not listed in 
 login_log_format_elements

Different people want different things logged. I think if I started adding 
settings to control those from Dovecot configuration it would quickly become a 
horribly complex mess. An alternative could be to send logging through a more 
configurable log process. Like perhaps a simple perl log proxy where you can do 
whatever you want using regexps and such.. This is already possible if someone 
just writes such a log proxy, although it would be a bit annoying as it would 
have to implement Dovecot's internal master service protocols. A somewhat 
easier way would be if Dovecot's log process supported a filtering service, 
similar to how the mail-filter plugin works for emails. Then you could use 
whatever scripting language you want to implement the filters and if the filter 
breaks or is too slow, the log process could just drop it and continue logging 
without filtering.

The main problem I see with such a generic log filter is that it operates on a 
full log line string. Maybe for your use case it would be enough, but people 
have wanted other things as well where such a filter could be helpful, like 
logging things to SQL database. But there it would be useful to have some kind 
of key=value pairs of data, like username=foo mailbox=bar without having to 
parse it from the text, which could be difficult to do 100% correctly. So maybe 
some day Dovecot's whole logging system could be redesigned to support that as 
well.

Anyway, all of this is something that I don't see myself having time to 
implement anytime soon.

Re: [Dovecot] proxy: get rid of redundant log-informations

[Reindl Harald]

Am 21.09.2013 23:37, schrieb Timo Sirainen:
 On 14.8.2013, at 17.37, Reindl Harald h.rei...@thelounge.net wrote:
 
 login_log_format_elements = user=%u method=%m rip=%r %k

 is it possible to get rid of the proxy(t...@testserver.rhsoft.net): started 
 proxying to 127.0.0.1:143:  part
 because on a proxy-only server i know that and it is explicitly not listed 
 in login_log_format_elements
 
 Different people want different things logged. I think if I started adding 
 settings to control those from Dovecot configuration it would quickly become 
 a horribly complex mess

not really, take a look again at both

login_log_format_elements  = user=%u %r %m %c
login_log_format   = %$: %s

if fact i would only need login_log_format = %s but in case of failed logins
and dictionary attacks with unknown users %u is empty - if %u would *always*
contain the used loginname, wether if it was successful or not i would have
any needed information without the duplication





signature.asc
Description: OpenPGP digital signature

Re: [Dovecot] proxy: get rid of redundant log-informations

[Reindl Harald]

Am 22.09.2013 00:07, schrieb Reindl Harald:
 Am 21.09.2013 23:37, schrieb Timo Sirainen:
 On 14.8.2013, at 17.37, Reindl Harald h.rei...@thelounge.net wrote:

 login_log_format_elements = user=%u method=%m rip=%r %k

 is it possible to get rid of the proxy(t...@testserver.rhsoft.net): 
 started proxying to 127.0.0.1:143:  part
 because on a proxy-only server i know that and it is explicitly not listed 
 in login_log_format_elements

 Different people want different things logged. I think if I started adding 
 settings to control those from Dovecot configuration it would quickly become 
 a horribly complex mess
 
 not really, take a look again at both
 
 login_log_format_elements  = user=%u %r %m %c
 login_log_format   = %$: %s
 
 if fact i would only need login_log_format = %s but in case of failed logins
 and dictionary attacks with unknown users %u is empty - if %u would *always*
 contain the used loginname, wether if it was successful or not i would have
 any needed information without the duplication

errta - the problem maybe was in cased of failed logins you see no
difference without %$ comapred to a succesfull login

login_log_format_elements  = status=%status %u %r %m %c
login_log_format   = %s

would perfectly solve this while %status or whatever placeholder would be 
failed / success



signature.asc
Description: OpenPGP digital signature

Re: [Dovecot] proxy: get rid of redundant log-informations

[Reindl Harald]

Am 22.09.2013 00:18, schrieb Reindl Harald:
 Am 22.09.2013 00:07, schrieb Reindl Harald:
 Am 21.09.2013 23:37, schrieb Timo Sirainen:
 Different people want different things logged. I think if I started adding 
 settings to control those from Dovecot configuration it would quickly 
 become a horribly complex mess

 if fact i would only need login_log_format = %s but in case of failed 
 logins
 and dictionary attacks with unknown users %u is empty - if %u would 
 *always*
 contain the used loginname, wether if it was successful or not i would have
 any needed information without the duplication
 
 errta - the problem maybe was in cased of failed logins you see no
 difference without %$ comapred to a succesfull login
 
 login_log_format_elements  = status=%status %u %r %m %c
 login_log_format   = %s
 
 would perfectly solve this while %status or whatever placeholder would be 
 failed / success

sorry for the spam and not put it in one reply

login_log_format_elements = %status %u %r %m %c %cipher
login_log_format  = %s

Sep 21 18:39:47 localhost dovecot: imap-login: OK, rhs...@test.rh, 
192.168.2.2, CRAM-MD5, DHE-RSA-CAMELLIA256-SHA

TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA for %k leads to linebreaks in tail 
-f which
makes it hard to follow while the proposd above contains any needed information 
and fits
on a 27 screen in a single line, in case of unencrypted %cipher would be 
simply supressed

cat maillog | grep imap | grep OK, 
cat maillog | grep imap | grep failed, 

cat maillog | grep pop3 | grep OK, 
cat maillog | grep pop3 | grep failed, 



signature.asc
Description: OpenPGP digital signature

Re: [Dovecot] proxy: get rid of redundant log-informations

[Timo Sirainen]

On 22.9.2013, at 1.29, Reindl Harald h.rei...@thelounge.net wrote:

 if fact i would only need login_log_format = %s but in case of failed 
 logins
 and dictionary attacks with unknown users %u is empty - if %u would 
 *always*
 contain the used loginname, wether if it was successful or not i would have
 any needed information without the duplication

%u always has username as long as client sent it.

 errta - the problem maybe was in cased of failed logins you see no
 difference without %$ comapred to a succesfull login
 
 login_log_format_elements  = status=%status %u %r %m %c
 login_log_format   = %s
 
 would perfectly solve this while %status or whatever placeholder would be 
 failed / success
 
 sorry for the spam and not put it in one reply
 
 login_log_format_elements = %status %u %r %m %c %cipher
 login_log_format  = %s
 
 Sep 21 18:39:47 localhost dovecot: imap-login: OK, rhs...@test.rh, 
 192.168.2.2, CRAM-MD5, DHE-RSA-CAMELLIA256-SHA
 
 TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA for %k leads to linebreaks in 
 tail -f which
 makes it hard to follow while the proposd above contains any needed 
 information and fits
 on a 27 screen in a single line, in case of unencrypted %cipher would be 
 simply supressed
 
 cat maillog | grep imap | grep OK, 
 cat maillog | grep imap | grep failed, 
 
 cat maillog | grep pop3 | grep OK, 
 cat maillog | grep pop3 | grep failed, 

%$ is the status, so you're asking for another status variable. Something like 
in the attached patch, where you can replace %$ with %{login_status}?



diff
Description: Binary data