[Dovecot] Possible bug with proxy in 2.0.4

Ed W lists at wildgooses.com
Thu Sep 30 10:08:16 EEST 2010 

  On 30/09/2010 00:19, Timo Sirainen wrote:
> On 29.9.2010, at 23.03, Ed W wrote:
>
>> Specifically I cloned my 1.2 virtual machine, upgraded the clone to 2.0.4 and tested it by trying to login using CRAM-MD5.   I get the errors:
>>
>> Sep 29 22:50:30 mail_test dovecot: imap-login: Error: proxy: password not given: user=<demo at abc.com>, method=CRAM-MD5, rip=x.x.x.x, lip=x.x.x.x, mpid=0, TLS
> CRAM-MD5 doesn't work directly with proxying. It can't work, by CRAM-MD5 design. The only way to make it work is if your passdb lookup returns a password, either the user's actual password in plaintext or some master password, that the backends accepts with plaintext authentication.

I'm not quite sure I understand the nuances of that?

Yes I do have a passdb (on the remote machine) which returns a plain 
password.  Actually since it's DB driven I have already returned all the 
information needed to auth the user on the proxying machine

The password query is the same on both sides and it looks like:

password_query = SELECT NULLIF(mail_host, '%l') as proxy, 
NULLIF(mail_host, '%l') as host, \
     email as user, password, \
     home userdb_home, concat(home, '/', maildir) as userdb_mail, \
     2000 as userdb_uid, 2000 as userdb_gid \
     FROM users \
     WHERE email = if('%d'<>'','%u','%u at mailasail.com') and flag_active=1

The NULLIF stuff is a holdover from before the proxy code was enhanced 
in 1.2.  Basically the effect I'm trying to achieve is a couple of 
hybrid frontend/backend imap servers, where they will proxy between each 
other to get the user to the correct server.

>> I then change the configuration so that the 2.0.4 machine proxies the connection back to the 1.2 machine (again) and try to login to the 2.0.4 machine and get the same errors as above.  Seems like the error is only when proxying (needless to say, the old 1.2 machine works fine with CRAM and that's how it's normally accessed, so also does the 2.0.4 machine, it's only proxying one to the other which isn't apparently working?)
> If it worked with v1.2, it either wasn't proxying or it was doing something like I mentioned above.

I cannot be sure if I tried proxying with MD5 in 1.2 - with the 1.2 
installation the proxying is used very rarely.

That said because of the prefetch configuration I'm using in this case, 
it doesnt seem impossible to make proxy work correctly with CRAM?


I don't have a protocol trace, but I'm getting the idea it's because 
each server picks a different secret that we get a problem?  The proxy 
server would need to auth the user, whilst at the same time doing a 
different auth to the proxied server?  It seems a shame to remove CRAM 
as an option if I want proxying to work - do you see a way around this? 
(Feature request..?)

Thanks

Ed W

More information about the dovecot mailing list