It would look as though the changes have now negatively affected a "normal" user from logging in.

telnet host 143

a login username password

a NO [AUTHENTICATIONFAILED] Authentication failed.

telnet host 143

1 login devteam*masteruser@example.com password

1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST- EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE QUOTA] Logged in

What do you think?

Thanks.

On Feb 15 2018, at 3:19 pm, Travis Dolan travis.dolan@gmail.com wrote:

Awesome, thanks for the advice. Using the following now works...

passdb {

driver = static

args = proxy=y password=doesnotmatter

}

Cheers.

On Feb 15 2018, at 2:40 pm, Aki Tuomi aki.tuomi@dovecot.fi wrote:

...

...

On 15 February 2018 at 20:22 Travis Dolan travis.dolan@gmail.com wrote:

Hello,

I have Director setup to proxy requests to backend servers. This works fine
when using "standard" username/passwords.

I am not try to enable the use of the Dovecot Master user through Director
into the backend servers.

a.) username is being sent as masteruser*username
b.) request hits the proxy and authenticates, and then is passed to the
backend servers and fails auth.

\- logs from proxy/Director point of view.

auth: Info:
passwd-file(masteruser,172.31.33.224,master,): Master
user logging in as devteam

imap-login: Info: proxy(devteam): Login failed to backend.servers:143
(master masteruser): [AUTHENTICATIONFAILED] Authentication failed.:
user=<devteam>, method=PLAIN, rip=172.31.33.224, lip=192.168.71.20,
session= l6P+sHyHg>

\- logs from backend server point of view.

imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs):
user=<masterusername>, method=PLAIN, rip=192.168.71.20, lip=192.168.71.99,
session=<O8QN8kNlloXAqEcU>

Proxy/Director Configs (hopefully this is enough)

auth_master_user_separator = *
passdb {
driver = passwd-file
args = /etc/dovecot/conf.d/master-user-password
master = yes
pass = yes
}

passdb {
driver = static
args = proxy=y nopassword=y
}

Please let me know if I can provide any further details.

Thanks in advance.

...

...

You could consider using "master password" instead.

...

...

This works so that you configure proxy to use pass=some_static_password as the password forward, and you can then use static passdb in director, as in

...

...

passdb {
driver = static
args = password=some_static_password ....
}

...

...

This way you don't need to setup master user authentication.

...

...

Aki

Hello Sami,

Thanks for the info. I have the following implemented and working.

I am only using the Director nodes to map users to the same backend server. I perform all auth and message deliver/retrieval on the backend servers.

Director Nodes:

auth_master_user_separator = *

passdb {

driver = passwd-file

args = /etc/dovecot/conf.d/lasso-master-user-password

master = yes

pass = yes

}

passdb {

driver = static

args = proxy=y nopassword=y password=doesnotmatter

}

Backend Nodes:

auth_master_user_separator = *

passdb {

driver = passwd-file

args = /etc/dovecot/conf.d/master-user-password

master = yes

pass = yes

}

passdb {

driver = sql

args = /etc/dovecot/conf.d/sql.conf.ext

}

userdb {

driver = sql

args = /etc/dovecot/conf.d/sql.conf.ext

}

userdb {

driver=prefetch

}

I have read the docs that state configuring Director in this way can expose the service to issues if large amounts of unknown user requests are sent to the Director nodes. I can manage this risk by ensuring proper rate limiting is in place in the load balancers in front of Director nodes.

I would love to hear your thoughts on the configuration.

Thank in advance.

On Feb 16 2018, at 3:02 am, Sami Ketola sami.ketola@dovecot.fi wrote:

...

On 15 Feb 2018, at 22.16, Travis Dolan <travis.dolan@gmail.com> wrote:

...

...

...

...

It would look as though the changes have now negatively affected a "normal" user from logging in.

...

...

...

...

telnet host 143

...

...

a login username password

...

...

...

...

a NO [AUTHENTICATIONFAILED] Authentication failed.

...

...

...

...

telnet host 143

...

...

1 login devteam*masteruser@example.com password

...

...

...

...

1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST- EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE QUOTA] Logged in

...

...

...

...

What do you think?

So your director is the first entry point where the end users connect?

in that case your director should have passdb setup that verifies the user password and then

switches the session to use master password when forwarding the connection to backend.

something like this in director:

passdb {

  driver = passwd-file

  args = /data/mail.passwd

  result_success = continue-ok

}

passdb {

  driver = static

  args = pass=masterpassword

  skip = unauthenticated

}

and in backend:

passdb {

  driver = static

  args = password=masterpassword

}

Sami