starttls for some services only

Aki Tuomi aki.tuomi at open-xchange.com
Mon Feb 10 21:34:54 EET 2020


> On 10/02/2020 19:17 Bjoern Jacke <lists2020 at j3e.de> wrote:
> 
>  
> Hi Aki,
> 
> On 10.02.20 17:03, Aki Tuomi wrote:
> > Try setting
> > 
> > login_trusted_networks = lb-ip/32
> > 
> > See 
> > https://doc.dovecot.org/settings/dovecot_core_settings/#login-trusted-networks
> 
> I do have login-trusted_networks set already. Along with the proxy
> protocol (haproxy_trusted_networks = lb-ip) I had to set
> login_trusted_networks to 0.0.0.0/0 actually because the proxy protocol
> tells dovecot the real clients' IP address and that IP adders is the one
> actually evaluated for login_trusted_networks. With the plain
> authentication being done inside the load balancer's TLS connection this
> is more or less obvious that this is needed in that case.
> 
> But those settings don't change the pity: ssl=no is globally required to
> make the starttls options disappear for imap-login - but with ssl=no
> globally I don't see a possibility to enable the starttls option for
> other services like managesieve for example.
> 
> Thanks
> Björn

With haproxy you need to

 - configure HAproxy to use PROXYv1 or PROXYv2 to protocol to pass connections details to dovecot. With recent enough dovecot, you can include TLS information with haproxy to dovecot.
 - configure login_trusted_networks and haproxy_trusted_networks
 - set 'haproxy=yes' to the listener you are connecting with haproxy, so dovecot knows to expect and parse the proxy protocol.

Aki


More information about the dovecot mailing list