Dovecot authentication through proxy
Hi everybody, I run two redundant Dovecot servers with a shared Maildir on a GlusterFS volume and a SQL authentication backend based on a mirrored MariaDB database. Because of the splitbrain situation I would like to add two Dovecot Director as proxies. Since a few days I am trying to get the setup running. In the meantime I have achieved that the clients can successfully authenticate on the proxy and that the client connections are forwarded to the backend servers. Unfortunately I still have the problem that no authentication attempts are made on the backend servers. Can someone explain me how to solve this problem? I have read that it is eventually possible to work with Master Users. But I guess that won't work for me, because I use the mailcrypt plugin and the client password is also the password for the encryption key. Best regards Daniel ### Proxy Log ### ############### Jan 23 19:48:21 vsrv-***-prx01 dovecot: auth-worker(20760): Debug: sql(***@***.**,192.168.1.100,<sNTHFdOcbeDAqAFk>): Finished passdb lookup Jan 23 19:48:21 vsrv-***-prx01 dovecot: auth-worker(20760): Debug: conn unix:auth-worker (pid=20753,uid=112): auth-worker<1>: Finished Jan 23 19:48:21 vsrv-***-prx01 dovecot: auth: Debug: sql(***@***.**,192.168.1.100,<sNTHFdOcbeDAqAFk>): username changed ***@***.** -> *** Jan 23 19:48:21 vsrv-***-prx01 dovecot: auth: Debug: sql(***,192.168.1.100,<sNTHFdOcbeDAqAFk>): username changed *** -> ***@***.** Jan 23 19:48:21 vsrv-***-prx01 dovecot: auth: Debug: sql(***@***.**,192.168.1.100,<sNTHFdOcbeDAqAFk>): Finished passdb lookup Jan 23 19:48:21 vsrv-***-prx01 dovecot: auth: Debug: auth(***@***.**,192.168.1.100,<sNTHFdOcbeDAqAFk>): Auth request finished Jan 23 19:48:21 vsrv-***-prx01 dovecot: auth: Debug: client passdb out: OK#0111#011user=***@***.**#011proxy#011ssl=any-cert#011starttls=any-cert#011lip=192.168.20.49#011lport=993#011pass=<hidden> Jan 23 19:48:21 vsrv-***-prx01 dovecot: imap-login: Debug: Ignoring unknown passdb extra field: lip Jan 23 19:48:21 vsrv-***-prx01 dovecot: imap-login: Debug: Ignoring unknown passdb extra field: lport ### Backend Log ### ################### Jan 23 18:48:51 vsrv-***-mta01 dovecot: imap-login: Disconnected (no auth attempts in 30 secs): user=<>, rip=192.168.20.49, lip=192.168.20.28, TLS handshaking: Connection closed, session=<r9yRF9OcZODAqBQx> Jan 23 18:48:51 vsrv-***-mta01 dovecot: imap-login: Disconnected (no auth attempts in 30 secs): user=<>, rip=192.168.20.49, lip=192.168.20.28, TLS handshaking: Connection closed, session=<4C+SF9OcauDAqBQx> Jan 23 18:48:51 vsrv-***-mta01 dovecot: imap-login: Disconnected (no auth attempts in 30 secs): user=<>, rip=192.168.20.49, lip=192.168.20.28, TLS handshaking: Connection closed, session=<KDGSF9OcZuDAqBQx> Jan 23 18:48:51 vsrv-***-mta01 dovecot: imap-login: Disconnected (no auth attempts in 30 secs): user=<>, rip=192.168.20.49, lip=192.168.20.28, TLS handshaking: Connection closed, session=<lwKTF9OcbuDAqBQx> ### Proxy Config ### #################### # 2.3.9.2 (cf2918cac): /etc/dovecot/dovecot.conf # OS: Linux 4.15.0-74-generic x86_64 Ubuntu 18.04.3 LTS # Hostname: vsrv-***-prx01 auth_debug = yes director_mail_servers = 192.168.20.28 192.168.20.29 director_servers = 192.168.20.49:9090 192.168.20.58:9090 disable_plaintext_auth = no mail_location = mbox:~/mail:INBOX=/var/mail/%u namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } passdb { driver = pam } protocols = " imap" service director { inet_listener { port = 9090 } unix_listener login/director { mode = 0666 } } service imap-login { executable = imap-login director } service pop3-login { executable = pop3-login director } ssl = required ssl_cert = </etc/dovecot/private/***-**-fullchain.pem ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kE$ ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } protocol lmtp { auth_socket_path = director-userdb } ### Backend Config ### ###################### # 2.3.9.2 (cf2918cac): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.9 (db4e9a2f) # OS: Linux 4.15.0-72-generic x86_64 Ubuntu 18.04.3 LTS # Hostname: vsrv-**-mta01.**.**.***.** auth_debug = yes auth_mechanisms = plain login mail_attribute_dict = file:%h/Maildir/dovecot-attributes mail_fsync = always mail_gid = vmail mail_home = /var/vmail/mailboxes/%d/%n mail_location = maildir:~/mail:LAYOUT=fs mail_nfs_index = yes mail_nfs_storage = yes mail_plugins = " notify mail_crypt" mail_privileged_group = vmail mail_uid = vmail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve mmap_disable = yes namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Spam { auto = subscribe special_use = \Junk } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { imapsieve_mailbox1_before = file:/var/vmail/sieve/global/learn-spam.sieve imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Spam imapsieve_mailbox2_before = file:/var/vmail/sieve/global/learn-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Spam imapsieve_mailbox2_name = * mail_crypt_curve = brainpoolP512r1 mail_crypt_require_encrypted_user_key = # hidden, use -P to show it mail_crypt_save_version = 2 quota = maildir:User quota quota_exceeded_message = Benutzer %u hat das Speichervolumen überschritten. / User %u has exhausted allowed storage space. sieve = file:/var/vmail/sieve/%d/%n/scripts;active=/var/vmail/sieve/%d/%n/active-script.sieve sieve_before = /var/vmail/sieve/global/spam-global.sieve sieve_global_extensions = +vnd.dovecot.pipe sieve_pipe_bin_dir = /usr/bin sieve_plugins = sieve_imapsieve sieve_extprograms } protocols = imap lmtp sieve service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0660 user = vmail } } service imap-login { inet_listener imap { port = 143 } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0660 user = postfix } user = vmail } service managesieve-login { inet_listener sieve { port = 4190 } } ssl = required ssl_cert = </etc/letsencrypt/live/******/fullchain.pem ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } protocol imap { imap_idle_notify_interval = 29 mins mail_max_userip_connections = 20 mail_plugins = " notify mail_crypt quota imap_quota imap_sieve" } protocol lmtp { mail_plugins = " notify mail_crypt sieve" postmaster_address = postmaster@***.** } -- This email was Malware checked by vsrv-dus6-fwl01
On 27 Jan 2020, at 11.56, Daniel Niewerth <daniel@niewerth.it> wrote:
Hi everybody,
I run two redundant Dovecot servers with a shared Maildir on a GlusterFS volume and a SQL authentication backend based on a mirrored MariaDB database. Because of the splitbrain situation I would like to add two Dovecot Director as proxies.
I would not run on GlusterFS because of bad experiences and index corruptions on the past experiments.
Can someone explain me how to solve this problem?
### Proxy Config ### ####################
passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql }
please show contents of this file.
passdb { driver = pam }
please remove this if you are using sql as auth db.
Sami
Hi Sami,
thank you for your answer.
I use GlusterFS because the dovecot replication does not work with the mailcrypt plugin. I will wait and see how reliable it works for me. I have only a very small personal mail server. So it is not really critical if something does not work.
The dovecot-sql.conf has the following content:
driver=mysql connect = "host=192.168.20.24 dbname=vmail user=*** password=***" default_pass_scheme = SHA512-CRYPT
password_query = SELECT username AS user, domain, password, '%w' AS userdb_mail_crypt_private_password, 'yes' AS proxy, 'any-cert' AS 'ssl', 'any-cert' AS starttls, 'Y' as nopassword FROM accounts WHERE username = '%n' AND domain = '%d' and enabled = true; user_query = SELECT concat('*:storage=', quota, 'M') AS quota_rule FROM accounts WHERE username = '%n' AND domain = '%d' AND sendonly = false;
iterate_query = SELECT username, domain FROM accounts where sendonly = false;
Best regards
Daniel
Am 28.01.2020 um 07:54 schrieb Sami Ketola <sami.ketola@dovecot.fi>:
On 27 Jan 2020, at 11.56, Daniel Niewerth <daniel@niewerth.it <mailto:daniel@niewerth.it>> wrote:
Hi everybody,
I run two redundant Dovecot servers with a shared Maildir on a GlusterFS volume and a SQL authentication backend based on a mirrored MariaDB database. Because of the splitbrain situation I would like to add two Dovecot Director as proxies.
I would not run on GlusterFS because of bad experiences and index corruptions on the past experiments.
Can someone explain me how to solve this problem?
### Proxy Config ### ####################
passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql }
please show contents of this file.
passdb { driver = pam }
please remove this if you are using sql as auth db.
Sami
-- This email was Malware checked by vsrv-dus6-fwl01
participants (2)
-
Daniel Niewerth
-
Sami Ketola