[Dovecot] Specify auth service for protocols
Hi all,
I'm building a mail system where two machines are functioning both as POP3/IMAP-proxy (using dovecot 1.2.12) and SMTP-server with authentication for outgoing mail. The SMTP-server is postfix with dovecot SASL as authentication backend. User credentials for SMTP auth as well as the mapping from account to final server for the proxy is stored in a MySQL-database which dovecot queries.
As I want the POP3/IMAP-proxy to accept any username and password (as the final POP3/IMAP server takes care of the authentication) the passdb SQL query has the statements "NULL AS password, 'Y' AS nopassword, 'Y' AS proxy" added to the query.
As these additions cannot be used in the SQL query for the auth service used by postfix (as users would be able to authenticate with any password) I have defined a second auth service (auth postfix { ... }) in dovecot.conf which is slightly different; it returns the password hash instead of NULL as password and skips the proxy and nopasswd part.
This works fine on one server, but on the other one the auth services get mixed up and the service defined for postfix (missing password and proxy stuff) is used by the POP3 and IMAP services and vice versa, which breaks the proxying. I've been trying my best to find any difference between the configuration of the two machines, but without result. The configurations are simply copies of each other.
So, to finally arrive at my question: Is there any way to specify which authentication service is to be used by each protocol in dovecot.conf?
Or is the solution instead to rewrite the passdb-query to take the service into account and return 'Y' AS proxy when the service is postfix and 'N' AS proxy when the service is POP3 or IMAP as I then would be able to use only one authentication backend?
Sorry for the lengthy post and thank you in advance!
Regards, Lukas Garberg
On Mon, 2010-09-06 at 16:42 +0200, Lukas Garberg wrote:
As these additions cannot be used in the SQL query for the auth service used by postfix (as users would be able to authenticate with any password) I have defined a second auth service (auth postfix { ... }) in dovecot.conf which is slightly different; it returns the password hash instead of NULL as password and skips the proxy and nopasswd part.
That won't work. It's pretty much random how it'll behave.
This works fine on one server, but on the other one the auth services get mixed up and the service defined for postfix (missing password and proxy stuff) is used by the POP3 and IMAP services and vice versa, which breaks the proxying. I've been trying my best to find any difference between the configuration of the two machines, but without result. The configurations are simply copies of each other.
Yeah, it's not even supposed to work the way you want it to work.
So, to finally arrive at my question: Is there any way to specify which authentication service is to be used by each protocol in dovecot.conf?
With v2.0 you can just put the wanted passdbs into protocol imap/smtp {} sections. With v1.2 you can't do anything like that.
Or is the solution instead to rewrite the passdb-query to take the service into account and return 'Y' AS proxy when the service is postfix and 'N' AS proxy when the service is POP3 or IMAP as I then would be able to use only one authentication backend?
Yes, that's the only working way with v1.2. Perhaps even something like:
select ..proxy.. where '%s' != 'smtp' and ..etc.. union all select ..auth.. where '%s' = 'smtp' and ..etc..
On Mon, 2010-09-06 at 15:51 +0100, Timo Sirainen wrote:
On Mon, 2010-09-06 at 16:42 +0200, Lukas Garberg wrote:
As these additions cannot be used in the SQL query for the auth service used by postfix (as users would be able to authenticate with any password) I have defined a second auth service (auth postfix { ... }) in dovecot.conf which is slightly different; it returns the password hash instead of NULL as password and skips the proxy and nopasswd part.
That won't work. It's pretty much random how it'll behave.
This works fine on one server, but on the other one the auth services get mixed up and the service defined for postfix (missing password and proxy stuff) is used by the POP3 and IMAP services and vice versa, which breaks the proxying. I've been trying my best to find any difference between the configuration of the two machines, but without result. The configurations are simply copies of each other.
Yeah, it's not even supposed to work the way you want it to work.
So, to finally arrive at my question: Is there any way to specify which authentication service is to be used by each protocol in dovecot.conf?
With v2.0 you can just put the wanted passdbs into protocol imap/smtp {} sections. With v1.2 you can't do anything like that.
Or is the solution instead to rewrite the passdb-query to take the service into account and return 'Y' AS proxy when the service is postfix and 'N' AS proxy when the service is POP3 or IMAP as I then would be able to use only one authentication backend?
Yes, that's the only working way with v1.2. Perhaps even something like:
select ..proxy.. where '%s' != 'smtp' and ..etc.. union all select ..auth.. where '%s' = 'smtp' and ..etc..
Thank you for the quick answer!
I'll go for the upgrade to v2.0.
Regards, Lukas Garberg
participants (2)
-
Lukas Garberg
-
Timo Sirainen