[Dovecot] Dovecot 2 + Director: IMAP+GSSAPI and LMTP-proxying

1 Jun 2011 · _backend_

      Hi all,
I have a setup of some nodes running Dovecot 2.0.13 and Postfix 2.5.6
with storage in NFS and authentication happening with PAM.
Poking around in the wiki, I tried out different possibilities but now
I am stuck -- and are hoping for your (enlightening) comments and tips.
My planned setup for IMAP and LMTP is like this:
IMAP

A loadbalancer directs new sessions to a Dovecot-Director instance;
this extra amount of traffic routing is mostly done for automatic
handling in case of a failing Director node; this works fine, the
same IP will end always on the same backend, but user-based Directory
proxying seems more appropriate, especially taking the NFS-setup and
the delivery process into account

Then the  Director decides where to direct the user's session; this
works fine when I let the backend servers do the authentication work

The backend Dovecot server will happily provide the user's e-mail

For now my section for the passdb in the Director instance is
passdb {
driver = static
args = proxy=y nopassword=y
}
So the backend will do the authentication of the session. But this setup
inhibits using Kerberos, as the TGT is not forwarded to the backend
server.
I would very much like to provide GSSAPI/Kerberos authentication, which
already works fine with the backend servers being directly connected by
mail clients. The backend servers are using the PAM driver.
I could not figure out, how to setup the passdb entry for the director
instance to use PAM (this way enabling GSSAPI/Kerberos) and also giving
back the necessary "proxy=y" to make director proxying the IMAP session.
Is this setup feasible at all?
LMTP

Postfix accepts incoming e-mail and decides, which e-mail will go
the LMTP-way to be deliverd into a Dovecot mailbox with something
like
virtual_transport = lmtp:inet:DOVECOT-DIRECTORS-IP:LMTP-PORT-ABC

the Dovecot Director instance accepts the LMTP connections and
will proxy this to the appropriate==user's current backend server

For now Postfix delivers e-mails using LMTP to the _backend_ w/o
proxying and everything like SIEVE-filtering works fine:
virtual_transport = lmtp:inet:DOVECOT-BACKENDS-IP:LMTP-PORT-XYZ
But when I use the Director's IP/Port combination for LMTP, I see
an error "554 5.4.6 the@addr.ess Proxying loops to itself".
Where may I specify the port number of the backend server's
LMTP-port? I suspect that the missing port number implies that
the receiving LMTP-backend server uses the same port and so
this would lead to a loop, hence the loop error?!
I browsed the Wiki and the archives but still cannot find the
information I am looking for.
Any hints on that?
Cheers,
Dirk
And here's the director.conf (via doveconf -n):
# 2.0.13: /dovecot/code/etc/dovecot-director/director.conf
# OS: SunOS 5.10 sun4v
auth_debug = yes
auth_verbose = yes
base_dir = /var/run/director/
debug_log_path = /var/adm/dovecot-director.debug
director_mail_servers = <LOCAL-BACKEND-IP>
director_servers = <PUBLIC-DIRECTOR-IP>
lmtp_proxy = yes
login_greeting = Dovecot Director ready.
mail_debug = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date
passdb {
args = proxy=y nopassword=y
driver = static
}
protocols = imap lmtp
service auth-worker {
user = root
}
service auth {
client_limit = 6000
unix_listener auth-userdb {
mode = 0644
user = vmail
}
}
service director {
fifo_listener login/proxy-notify {
mode = 0666
}
inet_listener {
port = 9090
}
unix_listener director-userdb {
mode = 0600
}
unix_listener login/director {
mode = 0666
}
}
service imap-login {
executable = imap-login director
inet_listener imap {
port = 10143
}
inet_listener imaps {
port = 10993
ssl = yes
}
process_min_avail = 1
}
service imap {
process_limit = 1024
}
service lmtp {
inet_listener lmtp {
address = <LOCAL-DIRECTOR-IP>
port = 24242
}
}
ssl_cert = 
syslog_facility = local0
protocol lmtp {
auth_socket_path = director-userdb
}
--
Dirk Jahnke-Zumbusch              Deutsches Elektronen-Synchrotron DESY
IT Information Fabrics              Member of the Helmholtz Association
D-22603 Hamburg                        Notkestrasse 85  / 22607 Hamburg
T: +49-40-899.81760   F: +49-40-899.41760  dirk.jahnke-zumbusch@desy.de

[Dovecot] Dovecot 2 + Director: IMAP+GSSAPI and LMTP-proxying

Jahnke-Zumbusch, Dirk

IMAP

LMTP