Re: Director & Master Users
Hello Sami, Thanks for the info. I have the following implemented and working. I am only using the Director nodes to map users to the same backend server. I perform all auth and message deliver/retrieval on the backend servers. Director Nodes: auth_master_user_separator = * passdb { driver = passwd-file args = /etc/dovecot/conf.d/lasso-master-user-password master = yes pass = yes } passdb { driver = static args = proxy=y nopassword=y password=doesnotmatter } Backend Nodes: auth_master_user_separator = * passdb { driver = passwd-file args = /etc/dovecot/conf.d/master-user-password master = yes pass = yes } passdb { driver = sql args = /etc/dovecot/conf.d/sql.conf.ext } userdb { driver = sql args = /etc/dovecot/conf.d/sql.conf.ext } userdb { driver=prefetch } I have read the docs that state configuring Director in this way can expose the service to issues if large amounts of unknown user requests are sent to the Director nodes. I can manage this risk by ensuring proper rate limiting is in place in the load balancers in front of Director nodes. I would love to hear your thoughts on the configuration. Thank in advance. On Feb 16 2018, at 3:02 am, Sami Ketola wrote: > > > > >> On 15 Feb 2018, at 22.16, Travis Dolan <[travis.do...@gmail.com](mailto:travis.do...@gmail.com)> wrote: >> >> >> >> It would look as though the changes have now negatively affected a "normal" user from logging in. >> >> >> >> telnet host 143 >> >> a login username password >> >> >> >> a NO [AUTHENTICATIONFAILED] Authentication failed. >> >> >> >> telnet host 143 >> >> 1 login [devteam*masteru...@example.com](mailto:devteam*masteru...@example.com) password >> >> >> >> 1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST- EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE QUOTA] Logged in >> >> >> >> What do you think? > > > > So your director is the first entry point where the end users connect? > > > > in that case your director should have passdb setup that verifies the user password and then > > switches the session to use master password when forwarding the connection to backend. > > > > something like this in director: > > > > passdb { > > driver = passwd-file > > args = /data/mail.passwd > > result_success = continue-ok > > } > > > > passdb { > > driver = static > > args = pass=masterpassword > > skip = unauthenticated > > } > > > > > > and in backend: > > > > passdb { > > driver = static > > args = password=masterpassword > > } > > > > Sami > > > >
Re: Director & Master Users
> On 15 Feb 2018, at 22.16, Travis Dolan wrote: > > It would look as though the changes have now negatively affected a "normal" > user from logging in. > > > telnet host 143 > > a login username password > > > a NO [AUTHENTICATIONFAILED] Authentication failed. > > > telnet host 143 > > 1 login devteam*masteru...@example.com password > > > 1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE > SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT > MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS > LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN > CONTEXT=SEARCH LIST-STATUS BINARY MOVE QUOTA] Logged in > > > What do you think? > So your director is the first entry point where the end users connect? in that case your director should have passdb setup that verifies the user password and then switches the session to use master password when forwarding the connection to backend. something like this in director: passdb { driver = passwd-file args = /data/mail.passwd result_success = continue-ok } passdb { driver = static args = pass=masterpassword skip = unauthenticated } and in backend: passdb { driver = static args = password=masterpassword } Sami
Re: Director & Master Users
It would look as though the changes have now negatively affected a "normal" user from logging in. telnet host 143 a login username password a NO [AUTHENTICATIONFAILED] Authentication failed. telnet host 143 1 login devteam*masteru...@example.com password 1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST- EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE QUOTA] Logged in What do you think? Thanks. On Feb 15 2018, at 3:19 pm, Travis Dolan wrote: > Awesome, thanks for the advice. Using the following now works... > > passdb { > > driver = static > > args = proxy=y password=doesnotmatter > > } > > Cheers. > > On Feb 15 2018, at 2:40 pm, Aki Tuomi wrote: > >> > On 15 February 2018 at 20:22 Travis Dolan wrote: > > > Hello, > > I have Director setup to proxy requests to backend servers. This works fine > when using "standard" username/passwords. > > I am not try to enable the use of the Dovecot Master user through Director > into the backend servers. > > a.) username is being sent as masteruser*username > b.) request hits the proxy and authenticates, and then is passed to the > backend servers and fails auth. > > \- logs from proxy/Director point of view. > > auth: Info: > passwd-file(masteruser,172.31.33.224,master,): Master > user logging in as devteam > > imap-login: Info: proxy(devteam): Login failed to backend.servers:143 > (master masteruser): [AUTHENTICATIONFAILED] Authentication failed.: > user=, method=PLAIN, rip=172.31.33.224, lip=192.168.71.20, > session= l6P+sHyHg> > > \- logs from backend server point of view. > > imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): > user=, method=PLAIN, rip=192.168.71.20, lip=192.168.71.99, > session= > > > Proxy/Director Configs (hopefully this is enough) > > auth_master_user_separator = * > passdb { > driver = passwd-file > args = /etc/dovecot/conf.d/master-user-password > master = yes > pass = yes > } > > passdb { > driver = static > args = proxy=y nopassword=y > } > > Please let me know if I can provide any further details. > > Thanks in advance. >> >> You could consider using "master password" instead. >> >> This works so that you configure proxy to use pass=some_static_password as the password forward, and you can then use static passdb in director, as in >> >> passdb { driver = static args = password=some_static_password } >> >> This way you don't need to setup master user authentication. >> >> Aki
Re: Director & Master Users
Awesome, thanks for the advice. Using the following now works... passdb { driver = static args = proxy=y password=doesnotmatter } Cheers. On Feb 15 2018, at 2:40 pm, Aki Tuomi wrote: > > On 15 February 2018 at 20:22 Travis Dolan wrote: > > > Hello, > > I have Director setup to proxy requests to backend servers. This works fine > when using "standard" username/passwords. > > I am not try to enable the use of the Dovecot Master user through Director > into the backend servers. > > a.) username is being sent as masteruser*username > b.) request hits the proxy and authenticates, and then is passed to the > backend servers and fails auth. > > \- logs from proxy/Director point of view. > > auth: Info: > passwd-file(masteruser,172.31.33.224,master,): Master > user logging in as devteam > > imap-login: Info: proxy(devteam): Login failed to backend.servers:143 > (master masteruser): [AUTHENTICATIONFAILED] Authentication failed.: > user=, method=PLAIN, rip=172.31.33.224, lip=192.168.71.20, > session= l6P+sHyHg> > > \- logs from backend server point of view. > > imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): > user=, method=PLAIN, rip=192.168.71.20, lip=192.168.71.99, > session= > > > Proxy/Director Configs (hopefully this is enough) > > auth_master_user_separator = * > passdb { > driver = passwd-file > args = /etc/dovecot/conf.d/master-user-password > master = yes > pass = yes > } > > passdb { > driver = static > args = proxy=y nopassword=y > } > > Please let me know if I can provide any further details. > > Thanks in advance. > > You could consider using "master password" instead. > > This works so that you configure proxy to use pass=some_static_password as the password forward, and you can then use static passdb in director, as in > > passdb { driver = static args = password=some_static_password } > > This way you don't need to setup master user authentication. > > Aki
Re: Director & Master Users
> On 15 February 2018 at 20:22 Travis Dolan wrote: > > > Hello, > > I have Director setup to proxy requests to backend servers. This works fine > when using "standard" username/passwords. > > I am not try to enable the use of the Dovecot Master user through Director > into the backend servers. > > a.) username is being sent as masteruser*username > b.) request hits the proxy and authenticates, and then is passed to the > backend servers and fails auth. > > - logs from proxy/Director point of view. > > auth: Info: > passwd-file(masteruser,172.31.33.224,master,): Master > user logging in as devteam > > imap-login: Info: proxy(devteam): Login failed to backend.servers:143 > (master masteruser): [AUTHENTICATIONFAILED] Authentication failed.: > user=, method=PLAIN, rip=172.31.33.224, lip=192.168.71.20, > session= l6P+sHyHg> > > - logs from backend server point of view. > > imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): > user=, method=PLAIN, rip=192.168.71.20, lip=192.168.71.99, > session= > > > Proxy/Director Configs (hopefully this is enough) > > auth_master_user_separator = * > passdb { > driver = passwd-file > args = /etc/dovecot/conf.d/master-user-password > master = yes > pass = yes > } > > passdb { > driver = static > args = proxy=y nopassword=y > } > > Please let me know if I can provide any further details. > > Thanks in advance. You could consider using "master password" instead. This works so that you configure proxy to use pass=some_static_password as the password forward, and you can then use static passdb in director, as in passdb { driver = static args = password=some_static_password } This way you don't need to setup master user authentication. Aki
Director & Master Users
Hello, I have Director setup to proxy requests to backend servers. This works fine when using "standard" username/passwords. I am not try to enable the use of the Dovecot Master user through Director into the backend servers. a.) username is being sent as masteruser*username b.) request hits the proxy and authenticates, and then is passed to the backend servers and fails auth. - logs from proxy/Director point of view. auth: Info: passwd-file(masteruser,172.31.33.224,master,): Master user logging in as devteam imap-login: Info: proxy(devteam): Login failed to backend.servers:143 (master masteruser): [AUTHENTICATIONFAILED] Authentication failed.: user=, method=PLAIN, rip=172.31.33.224, lip=192.168.71.20, session= - logs from backend server point of view. imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=192.168.71.20, lip=192.168.71.99, session= Proxy/Director Configs (hopefully this is enough) auth_master_user_separator = * passdb { driver = passwd-file args = /etc/dovecot/conf.d/master-user-password master = yes pass = yes } passdb { driver = static args = proxy=y nopassword=y } Please let me know if I can provide any further details. Thanks in advance.