Using a separate passdb per service
Situation: one front-facing server running Dovecot as IMAP/POP3/ ManageSieve proxy, a mixture of IMAP servers (Dovecot, Exchange, ...) in the back-end. Dovecot's passdb does lookups against MySQL which contains a simple user/host mapping, the actual authentication happens on the back-end IMAP servers. The configuration is more or less as described here: http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy
Now I would like to add a Postfix instance on the front-facing server which listens on the submission port and authenticates users via SASL using the local Dovecot's UNIX socket. The idea being that a user only needs to remember one single hostname, one username and one password for all mail-related services.
The problem is that Dovecot is operating in proxy mode, which means that the password_query returns NULL as the password and explicitly returns a field "nopasswd" containing "Y". Thus, users can not authenticate against the UNIX socket.
What I think I want to do is convince Dovecot to use one passdb for the imap/pop3/managesieve services and different one for the "auth" service.
The configuration snippet below doesn't work, but it should illustrate what I want to achieve:
protocols = imap pop3 sieve
service auth { passdb sql { driver = sql args = /etc/dovecot/mysql-auth-sasl.conf.ext }
unix_listener /var/spool/postfix/private/auth { user = postfix group = postfix mode = 0666 }}
# IMAP/POP3/ManageSieve auth against MySQL passdb sql { driver = sql args = /etc/dovecot/mysql-auth-default.conf.ext }
Example mysql-auth-sasl.conf.ext
driver = mysql connect = host=127.0.0.1 dbname=mail user=mail password=somethingrandom password_query = SELECT password AS password FROM users WHERE login = '%u'
Example mysql-auth-default.conf.ext:
driver = mysql connect = host=127.0.0.1 dbname=mail user=mail password=somethingrandom password_query = SELECT NULL AS password, 'Y' as nopassword, host, 'Y' AS proxy FROM users WHERE login = '%u'
Any pointers?
Gerry
I'm not sure if this would work, but possibly having two separate instances of dovecot with separate configs running may work for you.
http://wiki2.dovecot.org/RunningDovecot
On 08/07/15 11:04, Gerry wrote:
Situation: one front-facing server running Dovecot as IMAP/POP3/ ManageSieve proxy, a mixture of IMAP servers (Dovecot, Exchange, ...) in the back-end. Dovecot's passdb does lookups against MySQL which contains a simple user/host mapping, the actual authentication happens on the back-end IMAP servers. The configuration is more or less as described here: http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy
Now I would like to add a Postfix instance on the front-facing server which listens on the submission port and authenticates users via SASL using the local Dovecot's UNIX socket. The idea being that a user only needs to remember one single hostname, one username and one password for all mail-related services.
The problem is that Dovecot is operating in proxy mode, which means that the password_query returns NULL as the password and explicitly returns a field "nopasswd" containing "Y". Thus, users can not authenticate against the UNIX socket.
What I think I want to do is convince Dovecot to use one passdb for the imap/pop3/managesieve services and different one for the "auth" service.
The configuration snippet below doesn't work, but it should illustrate what I want to achieve:
protocols = imap pop3 sieve
service auth { passdb sql { driver = sql args = /etc/dovecot/mysql-auth-sasl.conf.ext }
unix_listener /var/spool/postfix/private/auth { user = postfix group = postfix mode = 0666 }}
# IMAP/POP3/ManageSieve auth against MySQL passdb sql { driver = sql args = /etc/dovecot/mysql-auth-default.conf.ext } Example mysql-auth-sasl.conf.ext
driver = mysql connect = host=127.0.0.1 dbname=mail user=mail password=somethingrandom password_query = SELECT password AS password FROM users WHERE login = '%u' Example mysql-auth-default.conf.ext:
driver = mysql connect = host=127.0.0.1 dbname=mail user=mail password=somethingrandom password_query = SELECT NULL AS password, 'Y' as nopassword, host, 'Y' AS proxy FROM users WHERE login = '%u' Any pointers?
Gerry
On 08/08/2015 05:57 AM, Edgar Pettijohn wrote:
I'm not sure if this would work, but possibly having two separate instances of dovecot with separate configs running may work for you.
Hi Edgar,
Thank you for your suggestion.
Yes, that would probably work, but it would be rather fiddly to run two Dovecot instances. I was hoping to be able to do it with just one instance.
Gerry
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 7 Aug 2015, Gerry wrote:
The problem is that Dovecot is operating in proxy mode, which means that the password_query returns NULL as the password and explicitly returns a field "nopasswd" containing "Y". Thus, users can not authenticate against the UNIX socket.
What I think I want to do is convince Dovecot to use one passdb for the imap/pop3/managesieve services and different one for the "auth" service.
As far as I know, all services use the "auth" in the back.
But you have the "%s" / service variable. You should be able to craft a SQL query, that returns NULL & nopasswd=Y, if postfix is not querying Dovecot.
I don't know, which service name postfix passes to Dovecot, though,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVchZsHz1H7kL/d9rAQIaLwf/WXnI9PMGuN042g7VzfDlZxbsVTvck55X DqPdy1P+YDtMCFpEbTxQG8m9EMfI82Zcd3rzqGbcaMbFqatG7TsucBg06S5j7XSX fs/jNX6DwAdmNIRzjrEU5a8M+Zpo6ifWohBO1IMax3sAs4Z9v+O/hEjX1wiKed24 nFA1QNFG/s2bjDUbf7WBYnU0MnFPeUmMJzy5sR+zFC9lWbaj+Y9b6ayMbdlhVvcz 8qu827/i+2McHlDiS3a2JmwuYTyGpPwfryIojjgTnYvxB1Ex4qsI/mfk8s2am6hY SIvi0Btdlb/ZUmxMy8WKj/hko4Mb+nxO6FBpMU8V8opTJHHUuLf0UA== =1Wip -----END PGP SIGNATURE-----
On 08/10/2015 09:58 AM, Steffen Kaiser wrote:
As far as I know, all services use the "auth" in the back.
But you have the "%s" / service variable. You should be able to craft a SQL query, that returns NULL & nopasswd=Y, if postfix is not querying Dovecot.
I don't know, which service name postfix passes to Dovecot, though,
Hmm, that's an interesting idea. I'll explore it further.
Thanks!
Gerry
participants (3)
-
Edgar Pettijohn
-
Gerry
-
Steffen Kaiser