Also I think dovecot-auth would need to support two kinds of IP
address %variables then. The proxy's and the client's. Which ones
should be the defaults? Client's, I think?
Clients, definitely. Since dovecot-auth should already know the proxy IP. A fun way I just thought up that might work in my situation (with some SQL magic.. aww.. if only I could figure out MySQL SPs :)), would be to have a delimiter character (like the master user) that I could append the client IP to the username. Then strip it out and the IP on the other side and use it for whatever I need to.