custom userdb server, Exim, and proxying
Hi all,
We have Exim using Dovecot for authentication. Dovecot, in turn, consults a custom internal server that answers Dovecot’s userdb queries.
When IMAP connections arrive, for some users we want to forward those connections--without authentication--to an external IMAP server. For these users, we return “proxy_maybe” and “nopassword” in the authn response from our userdb server. This tells Dovecot to proxy the connection to a new server without trying to authenticate.
Exim, though, doesn’t grok “proxy_maybe”, so it just sees “nopassword”. In response, it just skips SMTP authentication entirely.
We could address this if our custom service could know whether the authn is for Exim or not. Exim does send a “service=smtp” in its request to /var/run/dovecot/auth-client, but thus far I don’t see that that’s being passed on to the userdb server.
Is there any way I can configure Dovecot so that our userdb server can detect when it’s Exim doing the authentication? Alternatively we could just authenticate on the proxy (i.e., stop sending “nopassword”), but that will entail a new requirements for passwords to be in sync; ideally we’d like to avoid that.
Any insight from this group would be much appreciated. Thank you!
cheers, -Felipe Gasper
On 28/09/2020 23:46 Felipe Gasper felipe@felipegasper.com wrote:
Hi all,
We have Exim using Dovecot for authentication. Dovecot, in turn, consults a custom internal server that answers Dovecot’s userdb queries.
When IMAP connections arrive, for some users we want to forward those connections--without authentication--to an external IMAP server. For these users, we return “proxy_maybe” and “nopassword” in the authn response from our userdb server. This tells Dovecot to proxy the connection to a new server without trying to authenticate.
Exim, though, doesn’t grok “proxy_maybe”, so it just sees “nopassword”. In response, it just skips SMTP authentication entirely.
We could address this if our custom service could know whether the authn is for Exim or not. Exim does send a “service=smtp” in its request to /var/run/dovecot/auth-client, but thus far I don’t see that that’s being passed on to the userdb server.
Is there any way I can configure Dovecot so that our userdb server can detect when it’s Exim doing the authentication? Alternatively we could just authenticate on the proxy (i.e., stop sending “nopassword”), but that will entail a new requirements for passwords to be in sync; ideally we’d like to avoid that.
Any insight from this group would be much appreciated. Thank you!
cheers, -Felipe Gasper
You can use %s to expand into protocol, which i think in this case would be 'smtp'. See https://doc.dovecot.org/configuration_manual/config_file/config_variables/
Aki
participants (2)
-
Aki Tuomi
-
Felipe Gasper