[Dovecot] Dovecot 2 + Director: IMAP+GSSAPI and LMTP-proxying
Hi all,
I have a setup of some nodes running Dovecot 2.0.13 and Postfix 2.5.6 with storage in NFS and authentication happening with PAM.
Poking around in the wiki, I tried out different possibilities but now I am stuck -- and are hoping for your (enlightening) comments and tips.
My planned setup for IMAP and LMTP is like this:
IMAP
A loadbalancer directs new sessions to a Dovecot-Director instance; this extra amount of traffic routing is mostly done for automatic handling in case of a failing Director node; this works fine, the same IP will end always on the same backend, but user-based Directory proxying seems more appropriate, especially taking the NFS-setup and the delivery process into account
Then the Director decides where to direct the user's session; this works fine when I let the backend servers do the authentication work
The backend Dovecot server will happily provide the user's e-mail
For now my section for the passdb in the Director instance is
passdb { driver = static args = proxy=y nopassword=y }
So the backend will do the authentication of the session. But this setup inhibits using Kerberos, as the TGT is not forwarded to the backend server.
I would very much like to provide GSSAPI/Kerberos authentication, which already works fine with the backend servers being directly connected by mail clients. The backend servers are using the PAM driver.
I could not figure out, how to setup the passdb entry for the director instance to use PAM (this way enabling GSSAPI/Kerberos) and also giving back the necessary "proxy=y" to make director proxying the IMAP session.
Is this setup feasible at all?
LMTP
Postfix accepts incoming e-mail and decides, which e-mail will go the LMTP-way to be deliverd into a Dovecot mailbox with something like
virtual_transport = lmtp:inet:DOVECOT-DIRECTORS-IP:LMTP-PORT-ABC
the Dovecot Director instance accepts the LMTP connections and will proxy this to the appropriate==user's current backend server
For now Postfix delivers e-mails using LMTP to the _backend_ w/o proxying and everything like SIEVE-filtering works fine:
virtual_transport = lmtp:inet:DOVECOT-BACKENDS-IP:LMTP-PORT-XYZ
But when I use the Director's IP/Port combination for LMTP, I see an error "554 5.4.6 <the@addr.ess> Proxying loops to itself".
Where may I specify the port number of the backend server's LMTP-port? I suspect that the missing port number implies that the receiving LMTP-backend server uses the same port and so this would lead to a loop, hence the loop error?!
I browsed the Wiki and the archives but still cannot find the information I am looking for.
Any hints on that?
Cheers, Dirk
And here's the director.conf (via doveconf -n):
# 2.0.13: /dovecot/code/etc/dovecot-director/director.conf # OS: SunOS 5.10 sun4v auth_debug = yes auth_verbose = yes base_dir = /var/run/director/ debug_log_path = /var/adm/dovecot-director.debug director_mail_servers = <LOCAL-BACKEND-IP> director_servers = <PUBLIC-DIRECTOR-IP> lmtp_proxy = yes login_greeting = Dovecot Director ready. mail_debug = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date
passdb { args = proxy=y nopassword=y driver = static }
protocols = imap lmtp
service auth-worker { user = root }
service auth { client_limit = 6000 unix_listener auth-userdb { mode = 0644 user = vmail } }
service director { fifo_listener login/proxy-notify { mode = 0666 } inet_listener { port = 9090 } unix_listener director-userdb { mode = 0600 } unix_listener login/director { mode = 0666 } }
service imap-login { executable = imap-login director inet_listener imap { port = 10143 } inet_listener imaps { port = 10993 ssl = yes } process_min_avail = 1 }
service imap { process_limit = 1024 }
service lmtp { inet_listener lmtp { address = <LOCAL-DIRECTOR-IP> port = 24242 } }
ssl_cert = </dovecot/code/dovecot-homedir/dovecot.crt ssl_key = </dovecot/code/dovecot-homedir/dovecot.key
syslog_facility = local0
protocol lmtp { auth_socket_path = director-userdb }
-- Dirk Jahnke-Zumbusch Deutsches Elektronen-Synchrotron DESY IT Information Fabrics Member of the Helmholtz Association D-22603 Hamburg Notkestrasse 85 / 22607 Hamburg T: +49-40-899.81760 F: +49-40-899.41760 dirk.jahnke-zumbusch@desy.de
Hi again,
minutes after posting I found something for my LMTP-question:
Where may I specify the port number of the backend server's LMTP-port? I suspect that the missing port number implies that the receiving LMTP-backend server uses the same port and so this would lead to a loop, hence the loop error?!
Just add "port=<backends LMTP port number>" in the passdb section like:
passdb { args = proxy=y nopassword=y port=25252 driver = static }
So I am worrying about the IMAP+GSSAPI part...
Cheers, Dirk
-- Dirk Jahnke-Zumbusch Deutsches Elektronen-Synchrotron DESY IT Information Fabrics Member of the Helmholtz Association D-22603 Hamburg Notkestrasse 85 / 22607 Hamburg T: +49-40-899.81760 F: +49-40-899.41760 dirk.jahnke-zumbusch@desy.de
On Wed, 2011-06-01 at 11:25 +0200, Jahnke-Zumbusch, Dirk wrote:
For now my section for the passdb in the Director instance is
passdb { driver = static args = proxy=y nopassword=y }
So the backend will do the authentication of the session. But this setup inhibits using Kerberos, as the TGT is not forwarded to the backend server.
Right..
I would very much like to provide GSSAPI/Kerberos authentication, which already works fine with the backend servers being directly connected by mail clients. The backend servers are using the PAM driver.
I could not figure out, how to setup the passdb entry for the director instance to use PAM (this way enabling GSSAPI/Kerberos) and also giving back the necessary "proxy=y" to make director proxying the IMAP session.
PAM doesn't enable clients to use GSSAPI/Kerberos authentication. The client would still be doing a plaintext user+password authentication. So I don't think using PAM+Kerberos on director is useful for anything.
For real Kerberos auth you'd need to use Dovecot's own GSSAPI authentication. But yeah, there's currently no way to return proxy=y from GSSAPI either, because it doesn't use any passdb..
participants (3)
-
Dirk Jahnke-Zumbusch
-
Jahnke-Zumbusch, Dirk
-
Timo Sirainen