Clients,  definitely. Since dovecot-auth should already know the proxy IP. A fun way I just thought up that might work in my situation (with some SQL magic.. aww.. if only I could figure out MySQL SPs :)), would be to have a delimiter character (like the master user) that I could append the client IP to the username.  Then strip it out and the IP on the other side and use it for whatever I need to.