[Dovecot] proxy_maybe regex
Does anyone know if dovecot support regex lookups for proxy/proxy_maybe, rather than mysql/ldap etc?
I've been comparing it with perdition to see which one might be better for us to do layer7 username switching.
Perdition supports the ability to not have any auth/db looks, but rather just a regex file that parses the usernames as they come in and forwards to the particular machine on the same port.
For example:
username:host ^[a-d]: 192.168.xxx.1 ^[e-k]: 192.168.xxx.2
and so on...
I didn't think this was supported in dovecot, but I wanted to check first. I think this is going to end up being what we use to avoid NFS problems. It's lightweight, drops into our current setup, and doesn't require a mysql database which adds another point of failure.
--
David Halik System Administrator OIT-CSS Rutgers University dhalik@jla.rutgers.edu
On 1.2.2010, at 22.17, David Halik wrote:
Does anyone know if dovecot support regex lookups for proxy/proxy_maybe, rather than mysql/ldap etc?
proxy and proxy_maybe have host name as value, no regex or anything like that.
username:host ^[a-d]: 192.168.xxx.1 ^[e-k]: 192.168.xxx.2
and so on...
I didn't think this was supported in dovecot, but I wanted to check first. I think this is going to end up being what we use to avoid NFS problems. It's lightweight, drops into our current setup, and doesn't require a mysql database which adds another point of failure.
You can use SQLite. You don't even need an actual database. Something like (completely out of my head, no idea how to do it in reality):
password_query = select
(if '%u' regexp '^[a-d]' then '192.168.xxx.1' else
if '%u' regexp '^[e-k]' then '192.168.xxx.2' else
..) as proxy_maybe
Another possibility would be checkpassword scripts, but that forks for each connection.
On 1.2.2010, at 22.33, Timo Sirainen wrote:
You can use SQLite. You don't even need an actual database. Something like (completely out of my head, no idea how to do it in reality):
password_query = select
(if '%u' regexp '^[a-d]' then '192.168.xxx.1' else
if '%u' regexp '^[e-k]' then '192.168.xxx.2' else
..) as proxy_maybe
Oh, v2.0 finally supports DNS lookups too. So you could use:
password_query = select substr('%u', 1, 1) || '.domain.org' as proxy_maybe, ..
and add [a-z].domain.org to DNS.
On 02/01/2010 03:34 PM, Timo Sirainen wrote:
On 1.2.2010, at 22.33, Timo Sirainen wrote:
You can use SQLite. You don't even need an actual database. Something like (completely out of my head, no idea how to do it in reality):
password_query = select
(if '%u' regexp '^[a-d]' then '192.168.xxx.1' else
if '%u' regexp '^[e-k]' then '192.168.xxx.2' else
..) as proxy_maybe
Thanks for the suggestions. The reason we were looking at perdition is to avoid as MySQL as a single point a failure. The whole reason we run the way we do is that there is no single point of failure, except of course the NetApp NFS server, but if that goes down we have a million other worse problems.
Anyway, I don't think we are going to be able to use perdition after all. I got it going on a test bed only to find out it doesn't support multiple failover servers. So, if user1=serverA, and serverA is down, user1 is out of luck.... user1=serverA,serverB,serverC would be awesome, but I don't think it's supported.
Back to dovecot, actually sqlite might work, because then I don't need a database backend, just a local sqlite regex. The question then being, how would dovecot handle multiple servers? For example:
(if '%u' regexp '^[a-d]' then '192.168.xxx.1 || 192.168.xxx.2 || 192.168.xxx.3' else
if '%u' regexp '^[e-k]' then '192.168.xxx.2 || 192.168.xxx.3 || 192.168.xxx.1' else
..) as proxy_maybe
There are ways of doing this in mysql, with heartbeats etc (which we've discussed before), but then I'm back to mysql again. Maybe mysql just has to be the way to go in this case.
Brad, any more investigation into this?
and I might try to find some time to proof this out over the next few weeks. I liked his idea of storing the user's current server in the database and proxying to that, with fallback to a local connection if they're new or their current server is unavailable.
We're pretty much in the exact same spot. I'm getting pressured into doing something one way or the other since user's mail is still resyncing when they hit the "stale NFS" message.
--
David Halik System Administrator OIT-CSS Rutgers University dhalik@jla.rutgers.edu
On 2.2.2010, at 0.39, David Halik wrote:
Back to dovecot, actually sqlite might work, because then I don't need a database backend, just a local sqlite regex. The question then being, how would dovecot handle multiple servers? For example:
(if '%u' regexp '^[a-d]' then '192.168.xxx.1 || 192.168.xxx.2 || 192.168.xxx.3' else
if '%u' regexp '^[e-k]' then '192.168.xxx.2 || 192.168.xxx.3 || 192.168.xxx.1' else
..) as proxy_maybeThere are ways of doing this in mysql, with heartbeats etc (which we've discussed before), but then I'm back to mysql again. Maybe mysql just has to be the way to go in this case.
Well, continuing my mail about using DNS: You could create a heartbeat that updates DNS records (with low TTL) when it sees that servers are down. Not as good as everything done automated, but maybe easier than making MySQL redundant?
On 2/1/2010 5:47 PM, Timo Sirainen wrote:
On 2.2.2010, at 0.39, David Halik wrote:
Back to dovecot, actually sqlite might work, because then I don't need a database backend, just a local sqlite regex. The question then being, how would dovecot handle multiple servers? For example:
(if '%u' regexp '^[a-d]' then '192.168.xxx.1 || 192.168.xxx.2 || 192.168.xxx.3' else
if '%u' regexp '^[e-k]' then '192.168.xxx.2 || 192.168.xxx.3 || 192.168.xxx.1' else
..) as proxy_maybeThere are ways of doing this in mysql, with heartbeats etc (which we've discussed before), but then I'm back to mysql again. Maybe mysql just has to be the way to go in this case.
Well, continuing my mail about using DNS: You could create a heartbeat that updates DNS records (with low TTL) when it sees that servers are down. Not as good as everything done automated, but maybe easier than making MySQL redundant?
None of our infrastructure uses "real" DNS. Pretty much all of it is private space that is load balanced through our layer4 using VIPs, which is why I wasn't really active in the DNS discussion. ;) While everything is registered, most are just cnames to the VIP.
I think we're going to have to just go with a mysql database like was discussed in earlier threads, or leave it be completely. One thing I did notice was you discussing that if mysql times out I can have it fall back to regular auth. That might be worth trying...
David,
-----Original Message----- From: dovecot-bounces+brandond=uoregon.edu@dovecot.org [mailto:dovecot-
There are ways of doing this in mysql, with heartbeats etc (which we've discussed before), but then I'm back to mysql again. Maybe mysql just has to be the way to go in this case.
Brad, any more investigation into this?
I've been mulling it over in my head, but haven't had a chance to actually build up a test environment and start playing with it yet. I got some other things (Blackboard, for those that can sympathize) dropped in my lap, and that's been consuming the majority of my time.
I do like the possibility of falling back to a local connection if the database goes away. I am curious to see how it behaves if the database is corrupt, database server is down, host is offline, and so on. All that plus figuring out the best schema, queries, cleanup, etc of course ;)
-Brad
participants (3)
-
Brandon Davidson
-
David Halik
-
Timo Sirainen