[Dovecot] proxy, managesieve and ssl?
Hello,
On a dovecot 2.0.14 proxy, I found that proxying managesieve works well when using 'starttls' option in pass_attrs, but does not work when using 'ssl' option. The backend server is also dovecot 2.0.14; when using the ssl option, it reports "no auth attempts" in the logs about managesieve-login, and meanwhile the MUA, Thunderbird with sieve plugin, reports [TRYLATER] account is temporary disabled; no problem when using starttls option on the proxy, all works well.
I would like to use IMAPs, instead of IMAP+STARTTLS, from proxy to backend, and have Managesieve still working. Is this supported?
Thanks,
Nicolas
On 11.1.2012, at 21.01, Nicolas KOWALSKI wrote:
On a dovecot 2.0.14 proxy, I found that proxying managesieve works well when using 'starttls' option in pass_attrs, but does not work when using 'ssl' option. The backend server is also dovecot 2.0.14; when using the ssl option, it reports "no auth attempts" in the logs about managesieve-login, and meanwhile the MUA, Thunderbird with sieve plugin, reports [TRYLATER] account is temporary disabled; no problem when using starttls option on the proxy, all works well.
I would like to use IMAPs, instead of IMAP+STARTTLS, from proxy to backend, and have Managesieve still working. Is this supported?
You'll need to kludge it a little bit. I guess you're using LDAP, since you mentioned pass_attrs?
protocol sieve { passdb { args = ldap-with-starttls.conf } } protocol !sieve { passdb { args = ldap-with-ssl.conf } }
On Wed, Jan 11, 2012 at 10:34:33PM +0200, Timo Sirainen wrote:
On 11.1.2012, at 21.01, Nicolas KOWALSKI wrote:
I would like to use IMAPs, instead of IMAP+STARTTLS, from proxy to backend, and have Managesieve still working. Is this supported?
You'll need to kludge it a little bit. I guess you're using LDAP, since you mentioned pass_attrs?
Yes, I am using LDAP.
protocol sieve { passdb { args = ldap-with-starttls.conf } }
When just adding the above, it works perfectly, Thanks!
protocol !sieve { passdb { args = ldap-with-ssl.conf } }
Is this really needed? It looks like it works without it. When using it, I get this error:
Jan 12 09:40:59 imap1 dovecot: auth: Fatal: No passdbs specified in configuration file. PLAIN mechanism needs one Jan 12 09:40:59 imap1 dovecot: master: Error: service(auth): command startup failed, throttling
-- Nicolas
On 1/11/2012 8:01 PM, Nicolas KOWALSKI wrote:
Hello,
On a dovecot 2.0.14 proxy, I found that proxying managesieve works well when using 'starttls' option in pass_attrs, but does not work when using 'ssl' option. The backend server is also dovecot 2.0.14; when using the ssl option, it reports "no auth attempts" in the logs about managesieve-login, and meanwhile the MUA, Thunderbird with sieve plugin, reports [TRYLATER] account is temporary disabled; no problem when using starttls option on the proxy, all works well.
I would like to use IMAPs, instead of IMAP+STARTTLS, from proxy to backend, and have Managesieve still working. Is this supported?
Although there is no such thing as a standard sieveS protocol, you can make Dovecot v2.x talk SSL from the start at a ManageSieve socket. Since normally people will not use something like this, it is not available by default.
In conf.d/20-managesieve.conf you can adjust the service definition of ManageSieve as follows:
service managesieve-login { inet_listener sieve { port = 4190 }
inet_listener sieves { port = 5190 ssl = yes } }
This starts the normal protocol on port 4190 and the direct-SSL version on an alternative port. You can also put the ssl=yes directly in the port 4190 listener, as long as no client will have to connect to this server directly (no client will support it).
Regards,
Stephan.
On Wed, Jan 11, 2012 at 10:06:51PM +0100, Stephan Bosch wrote:
On 1/11/2012 8:01 PM, Nicolas KOWALSKI wrote:
I would like to use IMAPs, instead of IMAP+STARTTLS, from proxy to backend, and have Managesieve still working. Is this supported?
Although there is no such thing as a standard sieveS protocol, you can make Dovecot v2.x talk SSL from the start at a ManageSieve socket. Since normally people will not use something like this, it is not available by default.
In conf.d/20-managesieve.conf you can adjust the service definition of ManageSieve as follows:
service managesieve-login { inet_listener sieve { port = 4190 }
inet_listener sieves { port = 5190 ssl = yes } }
This works well, when using (as Timo wrote) a different ldap pass_attrs for sieve, specifying this specific 5190 port. Thanks for your suggestion.
This starts the normal protocol on port 4190 and the direct-SSL version on an alternative port. You can also put the ssl=yes directly in the port 4190 listener, as long as no client will have to connect to this server directly (no client will support it).
Well, as this is non-standard, I guess I will not use it. I much prefer to stick with what has been RFCed.
-- Nicolas
participants (3)
-
Nicolas KOWALSKI
-
Stephan Bosch
-
Timo Sirainen