[Dovecot] SASL auth and proxy

[Ed W]

  On 01/10/2010 17:23, Timo Sirainen wrote:
> On Wed, 2010-09-29 at 17:07 +0200, mailing at securitylabs.it wrote:
>
>> Hello, I'm finding a way to have a pool of smtp-auth servers in front
>> of my actuals servers to permit relay to our customers. Now users sends
>> emails connecting to the right IP via mail.domain.tld, with
>> authentication. Every server has it's own user database in mysql.
>>
>> Can I use:
>>
>> http://wiki.dovecot.org/Authentication/MultipleDatabases
>>
>> to tell Dovecot to authenticate with every MySQL database on the servers
>> "behind"?
> Yes, but if you have many of them, that's quite a lot of unnecessary SQL
> lookups. And since they're done one at a time each lookup slows down the
> authentication.

I'm quite possibly missing the point, but you might restructure your 
application to have:

- one mysql db (replicated if necessary for robustness) with ALL 
customer data in it
- pool of postfix servers which auth to the remote db (they can be 
persuaded to cache auth results if you wish)

Optionally you could also adjust your structure to:
- first smtp server to be hit accepts mail
- transport map in sql which then directs that server to forward the 
mail onto the correct backend server
- remember that your transport map can indicate the use of other ports, 
eg you can have an optimised postfix installation which is only 
reachable from the frontend machines, but skips a load of 
address-rewriting/spam scanning, etc.  Configuration is a bit like the 
re-injection configu when using amavis

Could have completely missed the point, but this way you get a shared 
pool of frontend machines (so might as well spam/av block on them), 
which then use a transport map to get the mail internally to the correct 
mailbox server.  You can obviously also use a similar sql query to ask 
Dovecot frontend servers to proxy connections to the correct backend 
server...

Does that help at all?

Ed W