[Dovecot] appending domain based on port
I am looking for a way to append a domain to unqualified user names based on the port that the client connected to. Like this:
port 9110 - @test.com port 9111 - @other.com port 9112 - @third.com
it looks like auth-default-realm does this, but you can only specify it once for the whole process.
I know I could do this by running a separate copy of dovecot attached to each port in question, but I would like to do it all in one process if possible.
Other questions I have, if I use the auth-default-realm:
- does it happen before auth lookup I assume?
- do I have to define the domain i use here as an auth-realm in addition to default?
On Mon, 2008-01-28 at 12:11 -0500, Eric Hester wrote:
I am looking for a way to append a domain to unqualified user names based on the port that the client connected to. Like this:
port 9110 - @test.com port 9111 - @other.com port 9112 - @third.com
it looks like auth-default-realm does this, but you can only specify it once for the whole process.
I know I could do this by running a separate copy of dovecot attached to each port in question, but I would like to do it all in one process if possible.
What passdb do you use? This would be possible with SQL and checkpassword passdbs at least. You can get the local port from %l variable.
Other questions I have, if I use the auth-default-realm:
- does it happen before auth lookup I assume?
Yes.
- do I have to define the domain i use here as an auth-realm in addition to default?
No.
I use sql for my passwd db. So are you saying use some kind of conditional in my select that checks for @ in the username and if not found appends the domain based on the %l variable (using something like a join to a table that has port to domain mappings). Interesting. Im worried that might add significant load to the sql server though. This is a fairly large install. (300,000+ boxes).
On Thu, Jan 31, 2008 at 9:43 AM, Timo Sirainen tss@iki.fi wrote:
On Mon, 2008-01-28 at 12:11 -0500, Eric Hester wrote:
I am looking for a way to append a domain to unqualified user names based on the port that the client connected to. Like this:
port 9110 - @test.com port 9111 - @other.com port 9112 - @third.com
it looks like auth-default-realm does this, but you can only specify it once for the whole process.
I know I could do this by running a separate copy of dovecot attached to each port in question, but I would like to do it all in one process if possible.
What passdb do you use? This would be possible with SQL and checkpassword passdbs at least. You can get the local port from %l variable.
Other questions I have, if I use the auth-default-realm:
- does it happen before auth lookup I assume?
Yes.
- do I have to define the domain i use here as an auth-realm in addition to default?
No.
On Thu, 2008-01-31 at 10:32 -0500, Eric Hester wrote:
I use sql for my passwd db. So are you saying use some kind of conditional in my select that checks for @ in the username and if not found appends the domain based on the %l variable (using something like a join to a table that has port to domain mappings). Interesting.
Exactly. The "checks for @ in username" part could be done easily by checking if '%d' = ''.
Im worried that might add significant load to the sql server though. This is a fairly large install. (300,000+ boxes).
If there are only a few ports, you could use a CASE instead of a table join. But I'd think both of them could be done quickly by the SQL server. It's still a pretty simple query.
I got this working using %l for the ip, but I'd really rather do multiple ports so I don't have to have 4 ips on 16 different machines. I was trying to use the new 1.1 %a variable as the local port in my query but it seems to always return 0 in 1.1beta14, does this variable not work yet?
On Jan 31, 2008 10:42 AM, Timo Sirainen tss@iki.fi wrote:
On Thu, 2008-01-31 at 10:32 -0500, Eric Hester wrote:
I use sql for my passwd db. So are you saying use some kind of conditional in my select that checks for @ in the username and if not found appends the domain based on the %l variable (using something like a join to a table that has port to domain mappings). Interesting.
Exactly. The "checks for @ in username" part could be done easily by checking if '%d' = ''.
Im worried that might add significant load to the sql server though. This is a fairly large install. (300,000+ boxes).
If there are only a few ports, you could use a CASE instead of a table join. But I'd think both of them could be done quickly by the SQL server. It's still a pretty simple query.
On Sun, 2008-02-03 at 17:25 -0500, Eric Hester wrote:
I got this working using %l for the ip, but I'd really rather do multiple ports so I don't have to have 4 ips on 16 different machines.
Oh, somehow I wasn't thinking and thought %l was the same as port :)
I was trying to use the new 1.1 %a variable as the local port in my query but it seems to always return 0 in 1.1beta14, does this variable not work yet?
This should fix it: http://hg.dovecot.org/dovecot/rev/83fb5f84a270
Any chance of getting multiple ports per protocol in 1.1 or is that a major undertaking?
On Feb 4, 2008 4:23 AM, Timo Sirainen tss@iki.fi wrote:
On Sun, 2008-02-03 at 17:25 -0500, Eric Hester wrote:
I got this working using %l for the ip, but I'd really rather do multiple ports so I don't have to have 4 ips on 16 different machines.
Oh, somehow I wasn't thinking and thought %l was the same as port :)
I was trying to use the new 1.1 %a variable as the local port in my query but it seems to always return 0 in 1.1beta14, does this variable not work yet?
This should fix it: http://hg.dovecot.org/dovecot/rev/83fb5f84a270
Sorry, now that I reread the comment for listen I see it says space separated list. I'm not sure this is clear to everyone that it can be used to listen on multiple ports as there are wiki pages showing how to use iptables to get additional ports: http://wiki.dovecot.org/Iptables
The patch worked for %a perfectly. I also had to start returning nopassword in my passdb query, but I am now up and working. Now I just have to do some testing on 1.1 to make sure I am comfortable running it in production over 1.0.10 which I currently have.
If anyone cares here is my query.. it is a little complex because I use it to lookup against two tables and use the first match : a table called proxymap to proxy the user offsite if they havent been migrated yet, and a @mail sql user db if the user is local. the union makes it so all I have to do is delete the user from proxymap when they are migrated and they stop proxying.
#proxymap and atmail query (if entry is in proxy map it wins out over atmail tables) password_query = SELECT '3000' AS userdb_uid, '3000' AS userdb_gid, proxymap.user AS user, NULL as password, host, 'Y' as proxy, 'Y' as nologin, 'Y' as nodelay, 'Y' as nopassword, NULL as userdb_home, NULL as quota from proxymap where proxymap.user = IF(INSTR('%u','@')=0,CONCAT('%u','@',(select domain from portdomainmap where port='%a')),'%u') UNION SELECT '3000' AS userdb_uid, '3000' AS userdb_gid, UserSession.Account AS user, MD5(UserSession.Password) AS password, NULL as host, NULL as proxy, NULL as nologin, NULL as nodelay, NULL as nopassword, Users.Maildir as userdb_home, CONCAT('maildir:storage=',Users.UserQuota) as userdb_quota FROM Users,UserSession where UserSession.Account = Users.Account and UserSession.Account = IF(INSTR('%u','@')=0,CONCAT('%u','@',(select domain from portdomainmap where port='%a')),'%u') limit 1;
#atmail compatible query for delivery agent user_query = SELECT '3000' AS uid, '3000' AS gid, Users.Maildir as home FROM Users,UserSession where UserSession.Account = Users.Account and UserSession.Account = '%u'
On Feb 4, 2008 11:54 AM, Timo Sirainen tss@iki.fi wrote:
On Mon, 2008-02-04 at 11:40 -0500, Eric Hester wrote:
Any chance of getting multiple ports per protocol in 1.1 or is that a major undertaking?
It should already work:
listen = *:143 *:144 *:145
On Mon, 2008-02-04 at 12:54 -0500, Eric Hester wrote:
Sorry, now that I reread the comment for listen I see it says space separated list. I'm not sure this is clear to everyone that it can be used to listen on multiple ports as there are wiki pages showing how to use iptables to get additional ports: http://wiki.dovecot.org/Iptables
Added a note about it working in v1.1. Maybe some of the examples in the config file could also show multiple IPs and/or ports.
The patch worked for %a perfectly. I also had to start returning nopassword in my passdb query, but I am now up and working. Now I just have to do some testing on 1.1 to make sure I am comfortable running it in production over 1.0.10 which I currently have.
I think beta14 should work quite well. I've since then done a bit larger change in hg that seems to cause hangs (but fixes another rare problem). Hopefully that gets resolved soon (I can't reproduce it myself).
participants (2)
-
Eric Hester
-
Timo Sirainen