I’m in the process of setting up a Dovecot IMAP proxy to handle a number of IMAP server domains. At the current time, I have my users divided into 70 different groups of users (call them G1 to G70). I want each group to configure their email client to access their mailboxes at a domain name based on the group they belong to (e.g., g1.example.com http://g1.example.com/, g2.example.com http://g2.example.com/, …, g70.example.com http://g70.example.com/). I will only support TLS encrypted IMAP connections to the Dovecot IMAP proxy (‘ssl=yes’ in the inet_listener). My SSL cert has alternate names for all 70 group domain names.
I want the group domain to only support users that have been assigned to the group the domain name represents. That is, a user assigned to G23 would only be allowed to configure their email client for the IMAP server named g23.example.com http://g23.example.com/.
My solution during testing has been to have the Dovecot IMAP proxy to listen on different ports: 9930-9999. I plan to purchase 70 IPs, one for each group, and redirect traffic on port 993 to the appropriate Dovecot IMAP proxy port based on the IP I assign to the group domain name in the site’s DNS. The SQL for handling the IMAP login uses the port number of the inet_listener
I think this could work in production, but it will cost me extra to rent the 70 IPs and might be a pain to manage. Eventually, I would like to have over 5,000 groups so requiring an IP per group is less than ideal. I also think having Dovecot IMAP proxy have 5,000 inet_listeners might not work so well or might create too many threads/processes/ports to fit on a small proxy server.
I would rather have 1 public IP for each Dovecot IMAP proxy and somehow communicate to the userdb which group domain name was configured in the email client so only the users assigned to this group can login with that username.
Anyone have any ideas?
For HTTP traffic, it is easy to query the host in the HTTP Request, but I don’t think IMAP traffic has such host info in it. Does the Dovecot IMAP proxy receive the hostname from the email client when exchanging SSL certs (like SNI for HTTPS)?
Or, maybe I should have group domain in the username used to log in with (e.g., username+g23@example.com mailto:username+g23@example.com or username@g23.example.com mailto:username@g23.example.com). I don’t like to make the user configure their email client to log in with a name that is different than their mailbox address. It is simpler to just have them configure their email client with username@example.com mailto:username@example.com for both authorization and for the from/sender headers in the messages.
Anyway, any ideas of how to set this up in production?