While toying around with Doveadmin HTTP api I noticed, there is not much hype around it. Let's change that.
Doveadmin REST API so to speak provides a web server. When doing /ajax/ requests, modern browsers block that, unless the response comes with a specific CORS header.
Here how to work around with a proxy:
# /etc/dovecot/local.conf doveadm_allowed_commands = fetch doveadm_api_key = secret service doveadm { inet_listener http { port = 8084 } } # secret64 = echo -n secret | base64 # /etc/apache/.../some-site.conf ProxyVia Block
RequestHeader set Authorization "X-Dovecot-API secret64" ProxyPass http://localhost:8084/doveadm/v1 retry=0 timeout=5 ProxyPassReverse http://localhost:8084/doveadm/v1 </Location>
Intranet only this might be good enough, TLS with username/password Basic-Authentication passthrough might be used for better security.
Shameless plug: taken from https://gist.github.com/hungerburg/00d582bf1a6bf3c622797bf5e759f75b
-- peter