[Dovecot] Director and CRAM-MD5

Timo Sirainen tss at iki.fi
Thu Oct 14 18:38:32 EEST 2010


On Wed, 2010-10-13 at 10:53 +0200, Martin Spuetz wrote:

> i have a setup with two director servers pointing to two backends. I
> don't care that much for load balancing, my main goal is high availability.
> 
> CRAM-MD5 auth is working fine if I connect directly to the backends, but
> the director only supports AUTH=PLAIN because of the static passdb.

Yeah. The problem is that with CRAM-MD5 the username can't be known
until the authentication is started. But the authentication can't be
started until the backend server is known, which of course can't be
known until username is known..

So the only way to make CRAM-MD5 work with proxying is to have client
authenticate with CRAM-MD5 against the proxy. The proxy then does a
separate authentication against the backend server (e.g. using a master
proxy password that allows authenticating against anyone).

Or if you only care about HA, maybe you shouldn't use director at all
and just have active/passive pair of servers.



More information about the dovecot mailing list