Hello Sami,
Thanks for the info. I have the following implemented and working.
I am only using the Director nodes to map users to the same backend server. I perform all auth and message deliver/retrieval on the backend servers.
Director Nodes:
auth_master_user_separator = *
passdb {
driver = passwd-file
args = /etc/dovecot/conf.d/lasso-master-user-password
master = yes
pass = yes
}
passdb {
driver = static
args = proxy=y nopassword=y password=doesnotmatter
}
Backend Nodes:
auth_master_user_separator = *
passdb {
driver = passwd-file
args = /etc/dovecot/conf.d/master-user-password
master = yes
pass = yes
}
passdb {
driver = sql
args = /etc/dovecot/conf.d/sql.conf.ext
}
userdb {
driver = sql
args = /etc/dovecot/conf.d/sql.conf.ext
}
userdb {
driver=prefetch
}
I have read the docs that state configuring Director in this way can expose the service to issues if large amounts of unknown user requests are sent to the Director nodes. I can manage this risk by ensuring proper rate limiting is in place in the load balancers in front of Director nodes.
I would love to hear your thoughts on the configuration.
Thank in advance.
On Feb 16 2018, at 3:02 am, Sami Ketola sami.ketola@dovecot.fi wrote:
On 15 Feb 2018, at 22.16, Travis Dolan <travis.dolan@gmail.com> wrote:
It would look as though the changes have now negatively affected a "normal" user from logging in.
telnet host 143
a login username password
a NO [AUTHENTICATIONFAILED] Authentication failed.
telnet host 143
1 login devteam*masteruser@example.com password
1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST- EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE QUOTA] Logged in
What do you think?
So your director is the first entry point where the end users connect?
in that case your director should have passdb setup that verifies the user password and then
switches the session to use master password when forwarding the connection to backend.
something like this in director:
passdb {
driver = passwd-file
args = /data/mail.passwd
result_success = continue-ok
}
passdb {
driver = static
args = pass=masterpassword
skip = unauthenticated
}
and in backend:
passdb {
driver = static
args = password=masterpassword
}
Sami