[Dovecot] A new director service in v2.0 for NFS installations
Brandon Davidson
brandond at uoregon.edu
Tue Jun 1 01:59:13 EEST 2010
Timo,
On 5/31/10 6:04 AM, "Timo Sirainen" <tss at iki.fi> wrote:
> Well .. maybe you could use separate services. Have the proxy listen on
> public IP and the backend listen on localhost. Then you can do:
>
> local_ip 127.0.0.1 {
> passdb {
> ..
> }
> }
>
> and things like that. I think it would work, but I haven't actually
> tried.
It doesn't seem to be honoring the passdb setting within the local block.
I've got a single host set up with director, and itself listed as a mail
server:
director_servers = 128.223.142.138
director_mail_servers = 128.223.142.138
userdb {
driver = passwd
}
passdb {
driver = sql
args = /etc/dovecot/proxy-sqlite.conf
}
local 127.0.0.1 {
passdb {
driver = pam
}
}
If I telnet to localhost and attempt to log in, the logs show:
May 31 14:39:34 cc-popmap7 dovecot: auth: Debug: client in: AUTH 1
PLAIN service=imap secured lip=127.0.0.1 rip=127.0.0.1
lport=143 rport=60417 resp=<hidden>
May 31 14:39:34 cc-popmap7 dovecot: auth: Debug: sql(brandond,127.0.0.1):
query: SELECT null AS password, 'Y' AS nopassword, 'Y' AS proxy
May 31 14:39:34 cc-popmap7 dovecot: auth: Debug: client out: OK 1
user=brandond proxy pass=<hidden>
May 31 14:39:34 cc-popmap7 dovecot: auth: Debug: client in: AUTH 1
PLAIN service=imap secured lip=128.223.142.138
rip=128.223.142.138 lport=143 rport=44453 resp=<hidden>
May 31 14:39:34 cc-popmap7 dovecot: auth: Debug:
sql(brandond,128.223.142.138): query: SELECT null AS password, 'Y' AS
nopassword, 'Y' AS proxy
May 31 14:39:34 cc-popmap7 dovecot: auth: Debug: client out: OK 1
user=brandond proxy pass=<hidden>
May 31 14:39:34 cc-popmap7 dovecot: imap-login: Error: Proxying loops to
itself: user=<brandond>, method=PLAIN, rip=128.223.142.138,
lip=128.223.142.138, secured, mailpid=0
May 31 14:39:34 cc-popmap7 dovecot: auth: Debug: new auth connection:
pid=4700
May 31 14:39:34 cc-popmap7 dovecot: imap-login: Disconnected (auth failed, 1
attempts): user=<brandond>, method=PLAIN, rip=128.223.142.138,
lip=128.223.142.138, secured, mailpid=0
Even if the alternate passdb worked, how would I get it to connect to the
backend on localhost? It looks like the proxy connection comes in over the
external IP even if it's to itself, as the external address is what's
specified as the proxy destination by the director.
I do have a private network that I run NFS over; I suppose I could run the
proxy on the external, backend on the internal, and use only the internal
IPs in the mailserver list. I've also tried that, but it doesn't seem to
work either due to the passdb setting not being honored within local|remote
blocks.
Even if it did, wouldn't it still complain about the proxy looping back to
itself since both lip and rip would both be local addresses? Unless the
loopback check just compares to see if they're the same... Either way, it
seems like having proxy_maybe work with the director service would make the
whole setup a lot simpler.
> There's not yet a static passdb .. perhaps there should be. But you
> could use e.g. sqlite backend for the proxy and use:
>
> password_query = select null as password, 'Y' as nopassword, 'Y' as
> proxy
That seems to work well enough, with the major caveat noted above.
More information about the dovecot
mailing list