[Dovecot] IMAP proxying for ALL users to internal mail server
Hi!
How must I adjust Dovecot for proxying all users from the Internet to the internal Exchange Mail Server?
This is my config files (most important):
dovecot.conf
protocol imap {
#listen = *:10143
ssl_listen = 194.0.148.10:993
auth default {
mechanisms = plain login
passdb passwd-file {
args = /usr/local/etc/dovecot-%Ls.conf
}
}
dovecot-imap.conf
testmail1@example.org::0:0::::proxy host=10.0.10.3 port=143 nopassword
With this configurations all works fine, but if I trying change dovecot-imap.conf as below
%n@%d::0:0::::proxy host=10.0.10.3 port=143 nopassword
I get an error:
Oct 2 15:10:58 relay dovecot: auth(default): client in: AUTH 1 PLAIN service=imap secured lip=199.10.149.10 rip=199.10.149.3 lport=993 rport=28316 resp=<hidden>
Oct 2 15:10:58 relay dovecot: auth(default): passwd-file(testmail1@example.org,199.10.149.3): lookup: user=testmail1@example.org file=/usr/local/etc/dovecot-imap.conf
Oct 2 15:10:58 relay dovecot: auth(default): passwd-file(testmail1@example.org,199.10.149.3): unknown user
Oct 2 15:10:59 relay dovecot: auth(default): new auth connection: pid=62532
Oct 2 15:11:00 relay dovecot: auth(default): client out: FAIL 1 user=testmail1@example.org
Any ideas??
On 10/2/2009 8:14 AM, Vitaliy Vladimirovich wrote:
How must I adjust Dovecot for proxying all users from the Internet to the internal Exchange Mail Server?
Is this even a supported configuration? I've never heard of anyone doing this.
Dovecot proxy is intended to act as a proxy between multiple *dovecot* servers...
But, I'll be interested to hear Timos response, if this might actually work...
--
Best regards,
Charles
--- Original Message ---
From: Charles Marcus <CMarcus@Media-Brokers.com>
To: Vitaliy Vladimirovich <artemrts@ukr.net>
Date: 2 october, 15:20:18
Subject: Re: [Dovecot] IMAP proxying for ALL users to internal mail server
On 10/2/2009 8:14 AM, Vitaliy Vladimirovich wrote:
How must I adjust Dovecot for proxying all users from the Internet to
the internal Exchange Mail Server?
Is this even a supported configuration? I've never heard of anyone doing
this.
Why not?
From dovecot WIKI:
The destination servers don't need to be running Dovecot, but you should make sure that the Dovecot proxy doesn't advertise more capabilities than the destination server can handle. For IMAP you can do this by changing imap_capability setting. For POP3 you'll have to modify Dovecot's sources for now ( src/pop3/capability.h). v1.2.rc4+ automatically sends updated untagged CAPABILITY reply if it detects that the remote server has different capabilities than what it already advertised to the client. Note that some clients simply ignore the updated CAPABILITY reply.
Dovecot proxy is intended to act as a proxy between multiple *dovecot*
servers...
But, I'll be interested to hear Timos response, if this might actually
work...
--
Best regards,
Charles
On 10/2/2009, Vitaliy Vladimirovich (artemrts@ukr.net) wrote:
Is this even a supported configuration? I've never heard of anyone doing
this.
Why not? From dovecot WIKI:
The destination servers don't need to be running Dovecot,
I stand corrected... I've never used the proxy feature, so had never read the wiki on it...
Good to know though... thx...
--
Best regards,
Charles
--- Original Message ---
From: Timo Sirainen <tss@iki.fi>
To: "Vitaliy Vladimirovich" <artemrts@ukr.net>
Date: 2 october, 15:25:19
Subject: Re: [Dovecot] IMAP proxying for ALL users to internal mail server
On Oct 2, 2009, at 8:14 AM, Vitaliy Vladimirovich wrote:
How must I adjust Dovecot for proxying all users from the
Internet to the internal Exchange Mail Server?
To only a single Exchange server? Why would you need Dovecot proxy at
all there? Just use whatever dummy TCP proxy.
Yes, to only single.
I am trying to configure SMTP AUTH (Postfix+Dovecot SAS with Active Directory users account) and IMAP proxying to Exchange.
So now my problem is in IMAP proxying.
SMTP auth separately works fine.
On Oct 2, 2009, at 8:39 AM, Vitaliy Vladimirovich wrote:
How must I adjust Dovecot for proxying all users from the Internet to the internal Exchange Mail Server?
To only a single Exchange server? Why would you need Dovecot proxy at all there? Just use whatever dummy TCP proxy. Yes, to only single. I am trying to configure SMTP AUTH (Postfix+Dovecot SAS with
Active Directory users account) and IMAP proxying to Exchange. So now my problem is in IMAP proxying. SMTP auth separately works fine.
That still doesn't answer my question. It doesn't sound like you need
IMAP proxying. It sounds like you just need TCP connection forwarding.
--- Original Message ---
From: Timo Sirainen <tss@iki.fi>
To: Vitaliy Vladimirovich <artemrts@ukr.net>
Date: 2 october, 15:42:40
Subject: Re: [Dovecot] IMAP proxying for ALL users to internal mail server
On Oct 2, 2009, at 8:39 AM, Vitaliy Vladimirovich wrote:
How must I adjust Dovecot for proxying all users from the
Internet to the internal Exchange Mail Server?To only a single Exchange server? Why would you need Dovecot proxy at
all there? Just use whatever dummy TCP proxy.
Yes, to only single.
I am trying to configure SMTP AUTH (Postfix+Dovecot SAS with
Active Directory users account) and IMAP proxying to Exchange.
So now my problem is in IMAP proxying.
SMTP auth separately works fine.
That still doesn't answer my question. It doesn't sound like you need
IMAP proxying. It sounds like you just need TCP connection forwarding.
Your true. TCP connection forwarding I can do fith PF, but I think IMAP proxying more secure.
On Oct 2, 2009, at 8:47 AM, Vitaliy Vladimirovich wrote:
That still doesn't answer my question. It doesn't sound like you need IMAP proxying. It sounds like you just need TCP connection forwarding.
Your true. TCP connection forwarding I can do fith PF, but
I think IMAP proxying more secure.
The only thing that could make it more secure is if you trust that
Dovecot is more secure before login than Exchange is. Could be true of
course. :)
So if you really want Dovecot to be there, you need to use either SQL
(e.g. SQLite) or checkpassword passdb. Others can't just accept all
users without explicitly listing all of them. With SQL you could do
something like:
password_query = select '%u' as user, 'y' as nopasword, 'y' as proxy,
'1.2.3.4' as host
Quoting Timo Sirainen <tss@iki.fi>:
So if you really want Dovecot to be there, you need to use either
SQL (e.g. SQLite) or checkpassword passdb. Others can't just accept
all users without explicitly listing all of them. With SQL you could
do something like:
Why not ldap authentication off the MS AD?
-- Eric Rostetter The Department of Physics The University of Texas at Austin
This message is provided "AS IS" without warranty of any kind, either expressed or implied. Use this message at your own risk.
On Oct 2, 2009, at 11:11 AM, Eric Jon Rostetter wrote:
Quoting Timo Sirainen <tss@iki.fi>:
So if you really want Dovecot to be there, you need to use either
SQL (e.g. SQLite) or checkpassword passdb. Others can't just accept
all users without explicitly listing all of them. With SQL you
could do something like:Why not ldap authentication off the MS AD?
I guess that'd work too if proxy has access to AD.
participants (4)
-
Charles Marcus
-
Eric Jon Rostetter
-
Timo Sirainen
-
Vitaliy Vladimirovich