[Dovecot] SOLVED dovecot 2.0.13 using LDAP and proxying IMAP4 and POP3 to gmail

Volker Scheuber vscheuber at novell.com
Mon Jul 18 04:18:48 EEST 2011


Hi, 

I have found the solution to my issues in an old thread: 

http://dovecot.markmail.org/search/?q=proxy%20ldap#query:proxy%20ldap+page:1+mid:4b4t3r5r5htos5b5+state:results 

>>auth_bind = yes 
>>auth_bind_userdn = uid=%u,ou=People,dc=unisa,dc=it 
>If you have both of these enabled, Dovecot completely ignores pass_attrs. So if you want auth binds, you need to disable auth_bind_userdn setting.  

I indeed had both options enabled and thus my pass_attrs did not take effect. Once I removed auth_bind_userdn, the proxying worked as in my passwd-files configuration. 

Cheers. 
Volker

>>> "Volker Scheuber" <vscheuber at novell.com> 7/16/2011 1:46 PM >>>

Fellow dovecot users/contributors,

I am building a POP3/IMAP4 proxy solution for an enterprise, where users can login with their common username and then they get single sign-on to all kinds of different applications in the backend. Some of these applications are SaaS apps like gmail. For gmail in particular, I want dovecot to solve the following issues for me:

1.  be an IMAP4/POP3 proxy in the enterprise, proxying client requests to mail.com.
2. change both username and password from what's coming in from the client to what's being proxied out to gmail.
3. use LDAP for authentication

As a prototype, I implemented #1 and #2 using passwd-files and after a few hours of try and error, I got it to work and was able to login with "username" and "password" and was proxied through to gmail with "username at gmail.com" and "gmailpassword". Totally awesome.

Now I am stuck porting my working prototype from my laptop and passwd-files to my real lab environment and LDAP. I was able to get the authentication to work but that's about it. I can't get dovecot to do the proxying. I searched the mailing list archives and saw other people having similar issues, but that was almost 4 years ago... The most promising thread similar to my requirements and issues was this one: http://www.dovecot.org/list/dovecot/2007-September/025740.html but it was never fully answered nor did the suggestion given to that thread help me with my issue (but I did follow them).

Here is my current configuration:

dovecot -n
# 2.0.13: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 2.6.32.36-0.5-default x86_64 SUSE Linux Enterprise Server 11 (x86_64) 
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
mail_location = mbox:~/mail:INBOX=/var/mail/%n
passdb {
  args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
  master = yes
  pass = yes
}
passdb {
  args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
  args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}

My ldap configuration is:

cat /usr/local/etc/dovecot/dovecot-ldap.conf.ext |grep -v ^##* |grep .
hosts = 127.0.0.1:389
dn = cn=user,ou=users,o=config
dnpass = password
auth_bind = yes
auth_bind_userdn = cn=%n,ou=users,o=data
ldap_version = 3
base = ou=users,o=data
deref = never
scope = subtree
user_attrs = =home=/var/mail,uidNumber=uid,gidNumber=gid
user_filter = (&(objectClass=posixAccount)(uid=%n))
pass_attrs = mail=user,userPassword=password,uid=proxy,=ssl=any-cert,city=host,description=pass,cn=nologin
pass_filter = (&(objectClass=posixAccount)(uid=%n))
iterate_filter = (objectClass=posixAccount)
default_pass_scheme = CRYPT

When connecting to dovecot through an IMAP client (evolution in my case) the dovecot log shows:

Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: auth client connected (pid=26601)
Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: client in: AUTH1PLAINservice=imapsecuredlip=137.65.156.25rip=164.99.195.4lport=993rport=49203resp=AGFhYmVsbABOMHYzbGwxMjM0NTY=
Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: client out: OK1user=aabell
Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: master in: REQUEST3762290689266011e9ff0815dea78591a5437731034c14aa
Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: ldap(aabell,164.99.195.4): user search: base=ou=users,o=data scope=subtree filter=(&(objectClass=posixAccount)(uid=aabell)) fields=uidNumber,gidNumber
Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: ldap(aabell,164.99.195.4): result: gidNumber(gid)=1001 uidNumber(uid)=1001
Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: master out: USER3762290689aabellgid=1001uid=1001home=/var/mail
Jul 16 13:32:17 linux-1hen dovecot: imap-login: Login: user=<aabell>, method=PLAIN, rip=164.99.195.4, lip=137.65.156.25, mpid=26604, TLS

It doesn't even seem to be recognizing the extra fields I defined in pass_attrs. So I changed my ldap configuration to:

cat /usr/local/etc/dovecot/dovecot-ldap.conf.ext |grep -v ^##* |grep .
hosts = 127.0.0.1:389
dn = cn=supervisor,ou=sa,o=system
dnpass = n0v3ll123
auth_bind = yes
auth_bind_userdn = cn=%n,ou=users,o=data
ldap_version = 3
base = ou=users,o=data
deref = never
scope = subtree
user_attrs = mail=user,=home=/var/mail,uidNumber=uid,gidNumber=gid,=proxy=y,=ssl=any-cert,=host=209.85.225.109,description=pass,=nologin=y
user_filter = (&(objectClass=posixAccount)(uid=%n))
pass_attrs = mail=user,userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%n))
iterate_filter = (objectClass=posixAccount)
default_pass_scheme = CRYPT

This time things looked much better, but still not good enough:

Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: auth client connected (pid=26787)
Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: client in: AUTH1PLAINservice=imapsecuredlip=137.65.156.25rip=164.99.195.4lport=993rport=57079resp=AGFhYmVsbABOMHYzbGwxMjM0NTY=
Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: client out: OK1user=aabell
Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: master in: REQUEST159789875326787162fbc34468ae7853209715c05e11ad14
Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: ldap(aabell,164.99.195.4): user search: base=ou=users,o=data scope=subtree filter=(&(objectClass=posixAccount)(uid=aabell)) fields=mail,uidNumber,gidNumber,description
Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: auth(aabell,164.99.195.4): username changed aabell -> vscheuber at gmail.com
Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: ldap(vscheuber at gmail.com,164.99.195.4): result: description(pass)=gmailpassword gidNumber(gid)=1001 uidNumber(uid)=1001 mail(user)=vscheuber at gmail.com
Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: master out: USER1597898753vscheuber at gmail.compass=gmailpasswordgid=1001uid=1001home=/var/mailproxy=yssl=any-certhost=209.85.225.109nologin=y
Jul 16 13:36:12 linux-1hen dovecot: imap-login: Login: user=<aabell>, method=PLAIN, rip=164.99.195.4, lip=137.65.156.25, mpid=26790, TLS

I thought I'd also post here the log of my working prototype configuration with passwd-files. I would expect the ldap output to look similar in some key areas like proxying, but it doesn't:

Jul 15 15:04:25 vscdevws dovecot: auth: Debug: client in: AUTH1PLAINservice=imapsecuredlip=::1rip=::1lport=143rport=36444resp=AHZzY2hldWJlcgBwYXNzd29yZA==
Jul 15 15:04:25 vscdevws dovecot: auth: Debug: passwd-file(vscheuber,::1): lookup: user=vscheuber file=/etc/dovecot/users
Jul 15 15:04:25 vscdevws dovecot: auth: Debug: auth(vscheuber,::1): username changed vscheuber -> vscheuber at gmail.com
Jul 15 15:04:25 vscdevws dovecot: auth: Debug: client out: OK1user=vscheuber at gmail.comproxyhost=209.85.225.109port=993ssl=any-certpass=gmailpassword
Jul 15 15:04:26 vscdevws dovecot: imap-login: proxy(vscheuber at gmail.com): started proxying to 209.85.225.109:993: user=<vscheuber at gmail.com>, method=PLAIN, rip=::1, lip=::1, secured

If you read to this point, I say "thank you!" just for that. Please advise where my misconfiguration could be.

Thank you very much, I appreciate your time and help!
Volker


More information about the dovecot mailing list