I’m trying to understand how the nginx mail proxy and dovecot work.
As a I understand it, nginx can listen on a IP:port for IMAP connections. NGINX then can invoke a PHP script to do authorization and backend server selection.
Does NGINX than proxy to the backend dovecot IMAP server all subsequent IMAP commands that the user’s mail client requests?
Does the backend dovecot IMAP server do its own authentication with another MySQL password lookup? Or, since NGINX has done the authentication, the password_query lookup is skipped on the dovecot server? I assume the dovecot IMAP server still needs to do a MySQL user_query lookup (to find the location of the user’s mailbox on the server), but I am wondering whether the password will be checked twice, once by NGINX and a second time by dovecot IMAP.
Kevin
On 02 Jun 2016, at 23:07, KT Walrus kevin@my.walr.us wrote:
I’m trying to understand how the nginx mail proxy and dovecot work.
As a I understand it, nginx can listen on a IP:port for IMAP connections. NGINX then can invoke a PHP script to do authorization and backend server selection.
Does NGINX than proxy to the backend dovecot IMAP server all subsequent IMAP commands that the user’s mail client requests?
Does the backend dovecot IMAP server do its own authentication with another MySQL password lookup? Or, since NGINX has done the authentication, the password_query lookup is skipped on the dovecot server? I assume the dovecot IMAP server still needs to do a MySQL user_query lookup (to find the location of the user’s mailbox on the server), but I am wondering whether the password will be checked twice, once by NGINX and a second time by dovecot IMAP.
Hi,
you can always skip password check on dovecot side with static passdb that accepts all passwords if you are absolutely sure that the session has been authenticated earlier. Also you could switch the session from using user password to using a master password at the proxy if NGINX supports this.
btw, what is the reasong for NGINX proxy anyway? Since dovecot proxy can do this for you too.
Sami
btw, what is the reasong for NGINX proxy anyway? Since dovecot proxy can do this for you too.
I want to do authentication using the IP that the IMAP client used to connect to the IMAP server. That is, I have 50 IPs, one for each state my users live in, so the users can only connect to the IMAP server using the domain name where their account is hosted (e.g., va.example.com http://va.example.com/ for accounts in Virginia or ca.example.com http://ca.example.com/ for accounts in California). I figured it was fairly simple to have NGINX listen on the different IPs for the different IMAP servers and do the authentication based on the server IP that was used by the IMAP client and then route the request to the proper Dovecot backend.
I actually plan on using HAProxy to listen on each of the IPs and then proxy to an NGINX mail proxy listening on different ports (one for each proxied IP). NGINX would then have mail server sections for each port that invokes a PHP script passing in the domain name associated with the port (e.g., va.example.com http://va.example.com/). The PHP script would then use this domain name along with the user/password supplied by the mail client to do the auth check and backend dovecot server selection.
The only problem I see with using HAProxy and NGINX mail proxy is I think I will lose the client IP so the Dovecot logs won’t show this IP.
Can I use Dovecot Proxy to do the same thing? Will it use 50 threads to listen on the different IPs/ports or will it only have a small set of workers to do the proxying (like NGINX)?
Basically, I couldn’t figure out how to use Dovecot Proxy to do authentication based on the incoming IP/port or I would use it as the Dovecot Proxy will preserve the client IPs in the logs.
Even though I’m starting with 50 IPs for state-based mail servers without having to run 50 Dovecot servers, I will eventually have over 100 region-based IPs so I need the mail server to scale easily starting with only 1 or 2 backend mail servers and scaling gradually to many hundreds of servers.
Any thoughts on how to do this with Dovecot Proxy?
Kevin
On Jun 3, 2016, at 4:27 AM, Sami Ketola sami.ketola@dovecot.fi wrote:
On 02 Jun 2016, at 23:07, KT Walrus kevin@my.walr.us wrote:
I’m trying to understand how the nginx mail proxy and dovecot work.
As a I understand it, nginx can listen on a IP:port for IMAP connections. NGINX then can invoke a PHP script to do authorization and backend server selection.
Does NGINX than proxy to the backend dovecot IMAP server all subsequent IMAP commands that the user’s mail client requests?
Does the backend dovecot IMAP server do its own authentication with another MySQL password lookup? Or, since NGINX has done the authentication, the password_query lookup is skipped on the dovecot server? I assume the dovecot IMAP server still needs to do a MySQL user_query lookup (to find the location of the user’s mailbox on the server), but I am wondering whether the password will be checked twice, once by NGINX and a second time by dovecot IMAP.
Hi,
you can always skip password check on dovecot side with static passdb that accepts all passwords if you are absolutely sure that the session has been authenticated earlier. Also you could switch the session from using user password to using a master password at the proxy if NGINX supports this.
btw, what is the reasong for NGINX proxy anyway? Since dovecot proxy can do this for you too.
Sami
On 03.06.2016 16:00, KT Walrus wrote:
btw, what is the reasong for NGINX proxy anyway? Since dovecot proxy can do this for you too. I want to do authentication using the IP that the IMAP client used to connect to the IMAP server. That is, I have 50 IPs, one for each state my users live in, so the users can only connect to the IMAP server using the domain name where their account is hosted (e.g., va.example.com http://va.example.com/ for accounts in Virginia or ca.example.com http://ca.example.com/ for accounts in California). I figured it was fairly simple to have NGINX listen on the different IPs for the different IMAP servers and do the authentication based on the server IP that was used by the IMAP client and then route the request to the proper Dovecot backend.
I actually plan on using HAProxy to listen on each of the IPs and then proxy to an NGINX mail proxy listening on different ports (one for each proxied IP). NGINX would then have mail server sections for each port that invokes a PHP script passing in the domain name associated with the port (e.g., va.example.com http://va.example.com/). The PHP script would then use this domain name along with the user/password supplied by the mail client to do the auth check and backend dovecot server selection.
The only problem I see with using HAProxy and NGINX mail proxy is I think I will lose the client IP so the Dovecot logs won’t show this IP.
Dovecot supports real IP forwarding with HAproxy.
http://wiki2.dovecot.org/HAProxy
Aki
Dovecot supports real IP forwarding with HAproxy.
Yes. I was aware of this, but that doesn’t answer my question of how to configure a Dovecot proxy to listen on many IPs/ports and do authentication based on the incoming IP/port. If I could do this without having to run 50 Dovecot proxies (one for each incoming IP/port), I would probably use the HAProxy/Dovecot Proxy solution.
Or is Dovecot proxy light-weight enough to run a 100 instances or more on a single cloud VM (limited cores/memory) with an HAProxy front-end?
On Jun 3, 2016, at 9:14 AM, Aki Tuomi aki.tuomi@dovecot.fi wrote:
On 03.06.2016 16:00, KT Walrus wrote:
btw, what is the reasong for NGINX proxy anyway? Since dovecot proxy can do this for you too. I want to do authentication using the IP that the IMAP client used to connect to the IMAP server. That is, I have 50 IPs, one for each state my users live in, so the users can only connect to the IMAP server using the domain name where their account is hosted (e.g., va.example.com http://va.example.com/ for accounts in Virginia or ca.example.com http://ca.example.com/ for accounts in California). I figured it was fairly simple to have NGINX listen on the different IPs for the different IMAP servers and do the authentication based on the server IP that was used by the IMAP client and then route the request to the proper Dovecot backend.
I actually plan on using HAProxy to listen on each of the IPs and then proxy to an NGINX mail proxy listening on different ports (one for each proxied IP). NGINX would then have mail server sections for each port that invokes a PHP script passing in the domain name associated with the port (e.g., va.example.com http://va.example.com/). The PHP script would then use this domain name along with the user/password supplied by the mail client to do the auth check and backend dovecot server selection.
The only problem I see with using HAProxy and NGINX mail proxy is I think I will lose the client IP so the Dovecot logs won’t show this IP.
Dovecot supports real IP forwarding with HAproxy.
http://wiki2.dovecot.org/HAProxy
Aki
Quoting KT Walrus kevin@my.walr.us:
Dovecot supports real IP forwarding with HAproxy.
Yes. I was aware of this, but that doesn’t answer my question of how to configure a Dovecot proxy to listen on many IPs/ports and do authentication based on the incoming IP/port. If I could do this without having to run 50 Dovecot proxies (one for each incoming IP/port), I would probably use the HAProxy/Dovecot Proxy solution.
Quoting KT Walrus kevin@my.walr.us:
Dovecot supports real IP forwarding with HAproxy.
Yes. I was aware of this, but that doesn’t answer my question of how to configure a Dovecot proxy to listen on many IPs/ports and do authentication based on the incoming IP/port. If I could do this without having to run 50 Dovecot proxies (one for each incoming IP/port), I would probably use the HAProxy/Dovecot Proxy solution.
http://wiki.dovecot.org/Variables
%l is local IP, so if your backend auth system knows who is supposed to auth where, then I'd say one instance on all IPs, and use the variable in your auth query.
Rick
participants (4)
-
Aki Tuomi
-
KT Walrus
-
Rick Romero
-
Sami Ketola