[Dovecot] dovecot 2.0.13 using LDAP and proxying IMAP4 and POP3 to gmail
Fellow dovecot users/contributors,
I am building a POP3/IMAP4 proxy solution for an enterprise, where users can login with their common username and then they get single sign-on to all kinds of different applications in the backend. Some of these applications are SaaS apps like gmail. For gmail in particular, I want dovecot to solve the following issues for me:
- be an IMAP4/POP3 proxy in the enterprise, proxying client requests to mail.com.
- change both username and password from what's coming in from the client to what's being proxied out to gmail.
- use LDAP for authentication
As a prototype, I implemented #1 and #2 using passwd-files and after a few hours of try and error, I got it to work and was able to login with "username" and "password" and was proxied through to gmail with "username@gmail.com" and "gmailpassword". Totally awesome.
Now I am stuck porting my working prototype from my laptop and passwd-files to my real lab environment and LDAP. I was able to get the authentication to work but that's about it. I can't get dovecot to do the proxying. I searched the mailing list archives and saw other people having similar issues, but that was almost 4 years ago... The most promising thread similar to my requirements and issues was this one: http://www.dovecot.org/list/dovecot/2007-September/025740.html but it was never fully answered nor did the suggestion given to that thread help me with my issue (but I did follow them).
Here is my current configuration:
dovecot -n
# 2.0.13: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 2.6.32.36-0.5-default x86_64 SUSE Linux Enterprise Server 11 (x86_64)
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
mail_location = mbox:~/mail:INBOX=/var/mail/%n
passdb {
args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
master = yes
pass = yes
}
passdb {
args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext
driver = ldap
}
ssl_cert =
My ldap configuration is:
cat /usr/local/etc/dovecot/dovecot-ldap.conf.ext |grep -v ^##* |grep . hosts = 127.0.0.1:389 dn = cn=user,ou=users,o=config dnpass = password auth_bind = yes auth_bind_userdn = cn=%n,ou=users,o=data ldap_version = 3 base = ou=users,o=data deref = never scope = subtree user_attrs = =home=/var/mail,uidNumber=uid,gidNumber=gid user_filter = (&(objectClass=posixAccount)(uid=%n)) pass_attrs = mail=user,userPassword=password,uid=proxy,=ssl=any-cert,city=host,description=pass,cn=nologin pass_filter = (&(objectClass=posixAccount)(uid=%n)) iterate_filter = (objectClass=posixAccount) default_pass_scheme = CRYPT
When connecting to dovecot through an IMAP client (evolution in my case) the dovecot log shows:
Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: auth client connected (pid=26601) Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: client in: AUTH1PLAINservice=imapsecuredlip=137.65.156.25rip=164.99.195.4lport=993rport=49203resp=AGFhYmVsbABOMHYzbGwxMjM0NTY= Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: client out: OK1user=aabell Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: master in: REQUEST3762290689266011e9ff0815dea78591a5437731034c14aa Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: ldap(aabell,164.99.195.4): user search: base=ou=users,o=data scope=subtree filter=(&(objectClass=posixAccount)(uid=aabell)) fields=uidNumber,gidNumber Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: ldap(aabell,164.99.195.4): result: gidNumber(gid)=1001 uidNumber(uid)=1001 Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: master out: USER3762290689aabellgid=1001uid=1001home=/var/mail Jul 16 13:32:17 linux-1hen dovecot: imap-login: Login: user=<aabell>, method=PLAIN, rip=164.99.195.4, lip=137.65.156.25, mpid=26604, TLS
It doesn't even seem to be recognizing the extra fields I defined in pass_attrs. So I changed my ldap configuration to:
cat /usr/local/etc/dovecot/dovecot-ldap.conf.ext |grep -v ^##* |grep . hosts = 127.0.0.1:389 dn = cn=supervisor,ou=sa,o=system dnpass = n0v3ll123 auth_bind = yes auth_bind_userdn = cn=%n,ou=users,o=data ldap_version = 3 base = ou=users,o=data deref = never scope = subtree user_attrs = mail=user,=home=/var/mail,uidNumber=uid,gidNumber=gid,=proxy=y,=ssl=any-cert,=host=209.85.225.109,description=pass,=nologin=y user_filter = (&(objectClass=posixAccount)(uid=%n)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=posixAccount)(uid=%n)) iterate_filter = (objectClass=posixAccount) default_pass_scheme = CRYPT
This time things looked much better, but still not good enough:
Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: auth client connected (pid=26787) Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: client in: AUTH1PLAINservice=imapsecuredlip=137.65.156.25rip=164.99.195.4lport=993rport=57079resp=AGFhYmVsbABOMHYzbGwxMjM0NTY= Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: client out: OK1user=aabell Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: master in: REQUEST159789875326787162fbc34468ae7853209715c05e11ad14 Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: ldap(aabell,164.99.195.4): user search: base=ou=users,o=data scope=subtree filter=(&(objectClass=posixAccount)(uid=aabell)) fields=mail,uidNumber,gidNumber,description Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: auth(aabell,164.99.195.4): username changed aabell -> vscheuber@gmail.com Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: ldap(vscheuber@gmail.com,164.99.195.4): result: description(pass)=gmailpassword gidNumber(gid)=1001 uidNumber(uid)=1001 mail(user)=vscheuber@gmail.com Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: master out: USER1597898753vscheuber@gmail.compass=gmailpasswordgid=1001uid=1001home=/var/mailproxy=yssl=any-certhost=209.85.225.109nologin=y Jul 16 13:36:12 linux-1hen dovecot: imap-login: Login: user=<aabell>, method=PLAIN, rip=164.99.195.4, lip=137.65.156.25, mpid=26790, TLS
I thought I'd also post here the log of my working prototype configuration with passwd-files. I would expect the ldap output to look similar in some key areas like proxying, but it doesn't:
Jul 15 15:04:25 vscdevws dovecot: auth: Debug: client in: AUTH1PLAINservice=imapsecuredlip=::1rip=::1lport=143rport=36444resp=AHZzY2hldWJlcgBwYXNzd29yZA== Jul 15 15:04:25 vscdevws dovecot: auth: Debug: passwd-file(vscheuber,::1): lookup: user=vscheuber file=/etc/dovecot/users Jul 15 15:04:25 vscdevws dovecot: auth: Debug: auth(vscheuber,::1): username changed vscheuber -> vscheuber@gmail.com Jul 15 15:04:25 vscdevws dovecot: auth: Debug: client out: OK1user=vscheuber@gmail.comproxyhost=209.85.225.109port=993ssl=any-certpass=gmailpassword Jul 15 15:04:26 vscdevws dovecot: imap-login: proxy(vscheuber@gmail.com): started proxying to 209.85.225.109:993: user=vscheuber@gmail.com, method=PLAIN, rip=::1, lip=::1, secured
If you read to this point, I say "thank you!" just for that. Please advise where my misconfiguration could be.
Thank you very much, I appreciate your time and help! Volker
Hi,
I have found the solution to my issues in an old thread:
http://dovecot.markmail.org/search/?q=proxy%20ldap#query:proxy%20ldap+page:1...
auth_bind = yes auth_bind_userdn = uid=%u,ou=People,dc=unisa,dc=it If you have both of these enabled, Dovecot completely ignores pass_attrs. So if you want auth binds, you need to disable auth_bind_userdn setting.
I indeed had both options enabled and thus my pass_attrs did not take effect. Once I removed auth_bind_userdn, the proxying worked as in my passwd-files configuration.
Cheers. Volker
"Volker Scheuber" vscheuber@novell.com 7/16/2011 1:46 PM >>>
Fellow dovecot users/contributors,
I am building a POP3/IMAP4 proxy solution for an enterprise, where users can login with their common username and then they get single sign-on to all kinds of different applications in the backend. Some of these applications are SaaS apps like gmail. For gmail in particular, I want dovecot to solve the following issues for me:
- be an IMAP4/POP3 proxy in the enterprise, proxying client requests to mail.com.
- change both username and password from what's coming in from the client to what's being proxied out to gmail.
- use LDAP for authentication
As a prototype, I implemented #1 and #2 using passwd-files and after a few hours of try and error, I got it to work and was able to login with "username" and "password" and was proxied through to gmail with "username@gmail.com" and "gmailpassword". Totally awesome.
Now I am stuck porting my working prototype from my laptop and passwd-files to my real lab environment and LDAP. I was able to get the authentication to work but that's about it. I can't get dovecot to do the proxying. I searched the mailing list archives and saw other people having similar issues, but that was almost 4 years ago... The most promising thread similar to my requirements and issues was this one: http://www.dovecot.org/list/dovecot/2007-September/025740.html but it was never fully answered nor did the suggestion given to that thread help me with my issue (but I did follow them).
Here is my current configuration:
dovecot -n # 2.0.13: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 2.6.32.36-0.5-default x86_64 SUSE Linux Enterprise Server 11 (x86_64) auth_debug = yes auth_debug_passwords = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no mail_location = mbox:~/mail:INBOX=/var/mail/%n passdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext driver = ldap master = yes pass = yes } passdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext driver = ldap } ssl_cert =
My ldap configuration is:
cat /usr/local/etc/dovecot/dovecot-ldap.conf.ext |grep -v ^##* |grep . hosts = 127.0.0.1:389 dn = cn=user,ou=users,o=config dnpass = password auth_bind = yes auth_bind_userdn = cn=%n,ou=users,o=data ldap_version = 3 base = ou=users,o=data deref = never scope = subtree user_attrs = =home=/var/mail,uidNumber=uid,gidNumber=gid user_filter = (&(objectClass=posixAccount)(uid=%n)) pass_attrs = mail=user,userPassword=password,uid=proxy,=ssl=any-cert,city=host,description=pass,cn=nologin pass_filter = (&(objectClass=posixAccount)(uid=%n)) iterate_filter = (objectClass=posixAccount) default_pass_scheme = CRYPT
When connecting to dovecot through an IMAP client (evolution in my case) the dovecot log shows:
Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: auth client connected (pid=26601) Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: client in: AUTH1PLAINservice=imapsecuredlip=137.65.156.25rip=164.99.195.4lport=993rport=49203resp=AGFhYmVsbABOMHYzbGwxMjM0NTY= Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: client out: OK1user=aabell Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: master in: REQUEST3762290689266011e9ff0815dea78591a5437731034c14aa Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: ldap(aabell,164.99.195.4): user search: base=ou=users,o=data scope=subtree filter=(&(objectClass=posixAccount)(uid=aabell)) fields=uidNumber,gidNumber Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: ldap(aabell,164.99.195.4): result: gidNumber(gid)=1001 uidNumber(uid)=1001 Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: master out: USER3762290689aabellgid=1001uid=1001home=/var/mail Jul 16 13:32:17 linux-1hen dovecot: imap-login: Login: user=<aabell>, method=PLAIN, rip=164.99.195.4, lip=137.65.156.25, mpid=26604, TLS
It doesn't even seem to be recognizing the extra fields I defined in pass_attrs. So I changed my ldap configuration to:
cat /usr/local/etc/dovecot/dovecot-ldap.conf.ext |grep -v ^##* |grep . hosts = 127.0.0.1:389 dn = cn=supervisor,ou=sa,o=system dnpass = n0v3ll123 auth_bind = yes auth_bind_userdn = cn=%n,ou=users,o=data ldap_version = 3 base = ou=users,o=data deref = never scope = subtree user_attrs = mail=user,=home=/var/mail,uidNumber=uid,gidNumber=gid,=proxy=y,=ssl=any-cert,=host=209.85.225.109,description=pass,=nologin=y user_filter = (&(objectClass=posixAccount)(uid=%n)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=posixAccount)(uid=%n)) iterate_filter = (objectClass=posixAccount) default_pass_scheme = CRYPT
This time things looked much better, but still not good enough:
Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: auth client connected (pid=26787) Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: client in: AUTH1PLAINservice=imapsecuredlip=137.65.156.25rip=164.99.195.4lport=993rport=57079resp=AGFhYmVsbABOMHYzbGwxMjM0NTY= Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: client out: OK1user=aabell Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: master in: REQUEST159789875326787162fbc34468ae7853209715c05e11ad14 Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: ldap(aabell,164.99.195.4): user search: base=ou=users,o=data scope=subtree filter=(&(objectClass=posixAccount)(uid=aabell)) fields=mail,uidNumber,gidNumber,description Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: auth(aabell,164.99.195.4): username changed aabell -> vscheuber@gmail.com Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: ldap(vscheuber@gmail.com,164.99.195.4): result: description(pass)=gmailpassword gidNumber(gid)=1001 uidNumber(uid)=1001 mail(user)=vscheuber@gmail.com Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: master out: USER1597898753vscheuber@gmail.compass=gmailpasswordgid=1001uid=1001home=/var/mailproxy=yssl=any-certhost=209.85.225.109nologin=y Jul 16 13:36:12 linux-1hen dovecot: imap-login: Login: user=<aabell>, method=PLAIN, rip=164.99.195.4, lip=137.65.156.25, mpid=26790, TLS
I thought I'd also post here the log of my working prototype configuration with passwd-files. I would expect the ldap output to look similar in some key areas like proxying, but it doesn't:
Jul 15 15:04:25 vscdevws dovecot: auth: Debug: client in: AUTH1PLAINservice=imapsecuredlip=::1rip=::1lport=143rport=36444resp=AHZzY2hldWJlcgBwYXNzd29yZA== Jul 15 15:04:25 vscdevws dovecot: auth: Debug: passwd-file(vscheuber,::1): lookup: user=vscheuber file=/etc/dovecot/users Jul 15 15:04:25 vscdevws dovecot: auth: Debug: auth(vscheuber,::1): username changed vscheuber -> vscheuber@gmail.com Jul 15 15:04:25 vscdevws dovecot: auth: Debug: client out: OK1user=vscheuber@gmail.comproxyhost=209.85.225.109port=993ssl=any-certpass=gmailpassword Jul 15 15:04:26 vscdevws dovecot: imap-login: proxy(vscheuber@gmail.com): started proxying to 209.85.225.109:993: user=vscheuber@gmail.com, method=PLAIN, rip=::1, lip=::1, secured
If you read to this point, I say "thank you!" just for that. Please advise where my misconfiguration could be.
Thank you very much, I appreciate your time and help! Volker
participants (1)
-
Volker Scheuber