On 10/02/2020 19:17 Bjoern Jacke lists2020@j3e.de wrote:
Hi Aki,
On 10.02.20 17:03, Aki Tuomi wrote:
Try setting
login_trusted_networks = lb-ip/32
See https://doc.dovecot.org/settings/dovecot_core_settings/#login-trusted-networ...
I do have login-trusted_networks set already. Along with the proxy protocol (haproxy_trusted_networks = lb-ip) I had to set login_trusted_networks to 0.0.0.0/0 actually because the proxy protocol tells dovecot the real clients' IP address and that IP adders is the one actually evaluated for login_trusted_networks. With the plain authentication being done inside the load balancer's TLS connection this is more or less obvious that this is needed in that case.
But those settings don't change the pity: ssl=no is globally required to make the starttls options disappear for imap-login - but with ssl=no globally I don't see a possibility to enable the starttls option for other services like managesieve for example.
Thanks Björn
With haproxy you need to
- configure HAproxy to use PROXYv1 or PROXYv2 to protocol to pass connections details to dovecot. With recent enough dovecot, you can include TLS information with haproxy to dovecot.
- configure login_trusted_networks and haproxy_trusted_networks
- set 'haproxy=yes' to the listener you are connecting with haproxy, so dovecot knows to expect and parse the proxy protocol.
Aki