Hi everyone,
I have a problem that hopefully has an easy solution.
I am setting up an IMAP proxy in a DMZ network. It will connect to the real IMAP server and authenticate using "driver = imap", and this I have working really nicely.
What I want to do is have it look up a list of users that are allowed to connect through the proxy before proxying the connection, as not all users with an account are permitted to access their email from the internet. I thought that using a post-login script would get me out of trouble, but it isn't possible in a relay configuration.
dovecot.conf
## Dovecot configuration file
mail_uid = dovecot mail_gid = dovecot
protocols = imap
listen = *, ::
passdb { driver = imap # IMAP server to authenticate against args = host=192.168.1.1 # IMAP server to connect to for mailbox default_fields = proxy=yes host=192.168.1.1 } userdb { driver = prefetch }
auth_mechanisms = plain login
# This is the auth service used by Postfix to do dovecot auth. service auth { unix_listener auth-userdb { } inet_listener { port = 12345 } }
## ## SSL settings ##
# These will need to ba adjusted to point to *your* certificates, not mine 8-) # The ssl_ca line refers to the intermediate certificate bundle which may or may not be required by your SSL provider
ssl_cert = </etc/ssl/certs/mail.domain.com.au.pem ssl_key = </etc/ssl/private/mail.domain.com.au.key #ssl_ca = </etc/pki/tls/certs/ca.crt ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
Is it possible to use backend's passdb on the relay server in your setup?
If you are - for example - using SQL database as passdb on the backend, you can access it from relay server as well. Let's say you have "relay_enabled" column in the table of users, then you can use something like:
select ... from users where user = ... and relay_enabled = true
Users, who are not permitted access from internet, will get authentication failure
If your passdb can't be shared this way (unix accounts, passwd-file etc.), this won't work of course. Maybe you can try to play around allow_nets (http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets), possibly combined with login_trusted_networks on backend
The idea here is that your relay provides user's real IP and you use allow_nets extra field to restrict access to your internal network only. Not sure if this can work though, never tried.
Alex Ferrara wrote:
Hi everyone,
I have a problem that hopefully has an easy solution.
I am setting up an IMAP proxy in a DMZ network. It will connect to the real IMAP server and authenticate using "driver = imap", and this I have working really nicely.
What I want to do is have it look up a list of users that are allowed to connect through the proxy before proxying the connection, as not all users with an account are permitted to access their email from the internet. I thought that using a post-login script would get me out of trouble, but it isn't possible in a relay configuration.
dovecot.conf
## Dovecot configuration file
mail_uid = dovecot mail_gid = dovecot
protocols = imap
listen = *, ::
passdb { driver = imap # IMAP server to authenticate against args = host=192.168.1.1 # IMAP server to connect to for mailbox default_fields = proxy=yes host=192.168.1.1 } userdb { driver = prefetch }
auth_mechanisms = plain login
# This is the auth service used by Postfix to do dovecot auth. service auth { unix_listener auth-userdb { } inet_listener { port = 12345 } }
## ## SSL settings ##
# These will need to ba adjusted to point to *your* certificates, not mine 8-) # The ssl_ca line refers to the intermediate certificate bundle which may or may not be required by your SSL provider
ssl_cert =</etc/ssl/certs/mail.domain.com.au.pem ssl_key =</etc/ssl/private/mail.domain.com.au.key #ssl_ca =</etc/pki/tls/certs/ca.crt ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
Unfortunately, the requirement for this network is that the only pinhole through the firewall between the main relay and the mail server is IMAP. My thought was to ship a list of valid usernames to the imap relay that are allowed to connect, and that list would be constructed from inside the LAN and shipped to the DMZ via rsync.
I could set the default value of allow_nets and override it, but I am unsure how best to do that in my situation. Maybe if I use a passwd-file on the userdb, but keep the imap driver on the passdb?
aF
On 05/05/2014, at 4:24 PM, Jiri Bourek <bourek@thinline.cz> wrote:
Is it possible to use backend's passdb on the relay server in your setup?
If you are - for example - using SQL database as passdb on the backend, you can access it from relay server as well. Let's say you have "relay_enabled" column in the table of users, then you can use something like:
select ... from users where user = ... and relay_enabled = true
Users, who are not permitted access from internet, will get authentication failure
If your passdb can't be shared this way (unix accounts, passwd-file etc.), this won't work of course. Maybe you can try to play around allow_nets (http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets), possibly combined with login_trusted_networks on backend
The idea here is that your relay provides user's real IP and you use allow_nets extra field to restrict access to your internal network only. Not sure if this can work though, never tried.
Alex Ferrara wrote:
Hi everyone,
I have a problem that hopefully has an easy solution.
I am setting up an IMAP proxy in a DMZ network. It will connect to the real IMAP server and authenticate using "driver = imap", and this I have working really nicely.
What I want to do is have it look up a list of users that are allowed to connect through the proxy before proxying the connection, as not all users with an account are permitted to access their email from the internet. I thought that using a post-login script would get me out of trouble, but it isn't possible in a relay configuration.
dovecot.conf
## Dovecot configuration file
mail_uid = dovecot mail_gid = dovecot
protocols = imap
listen = *, ::
passdb { driver = imap # IMAP server to authenticate against args = host=192.168.1.1 # IMAP server to connect to for mailbox default_fields = proxy=yes host=192.168.1.1 } userdb { driver = prefetch }
auth_mechanisms = plain login
# This is the auth service used by Postfix to do dovecot auth. service auth { unix_listener auth-userdb { } inet_listener { port = 12345 } }
## ## SSL settings ##
# These will need to ba adjusted to point to *your* certificates, not mine 8-) # The ssl_ca line refers to the intermediate certificate bundle which may or may not be required by your SSL provider
ssl_cert =</etc/ssl/certs/mail.domain.com.au.pem ssl_key =</etc/ssl/private/mail.domain.com.au.key #ssl_ca =</etc/pki/tls/certs/ca.crt ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
participants (2)
-
Alex Ferrara
-
Jiri Bourek