[Dovecot] Dovecot load balancing
Eric Toczek
eric at flerd.com
Thu Jul 31 17:18:22 EEST 2008
Thomas Hummel wrote:
> On Thu, Jul 31, 2008 at 03:26:06PM +0200, Thomas Hummel wrote:
>
>> I don't quite understand the proxy_maybe option :
>>
>
>
The proxy_maybe allows you to have a user log into a server that is both
doing proxy logins for another host as well as local logins. So User A
connects into server 1, they live on server 2 so server 1 proxies the
connection onto server 2. User B connects into server 1 and they live on
server 1, so proxy_maybe allows the connect to be made direct even
though their proxy setting says they go to a specific host (which
happens to be server 1)
> Also, 2 things which aren't quite clear to me in the Wiki :
>
> a) Password forwarding
>
> Make sure that the authentication succeeds with any given password. You can do this by using empty passwords. v1.1+ requires also that you return nopassword field.
>
> -> Does that mean that the proxy has to accept only empty passwords and that
> that's the actual imap server that will deal with the actual password ?
>
The destination host must be set to allow plain text passwords.
> b) The connections created to the destination server can't be TLS/SSL encrypted.
>
> Does it still work if the client is using SSL/TLS to connect to the proxy ?
>
>
Yes the initial connection can be done using SSL/TLS. What happens is
the proxy will do the auth for the user using their password and if it
succeeds and they have a proxy attribute setup then the connect is made
to the destination host using a plaintext connection. What you can do is
setup a dovecot proxy host(s) that has no users assigned to that server
and allows only SSL/TLS connections, then on the backend a bunch of
servers that users get assigned to but they cannot have:
disable_plaintext_auth = yes
in the configuration.
More information about the dovecot
mailing list