[Dovecot] Dovecot 2.2. proxy_maybe and twice SSL connections
Hello.
I have two identically hosts
I have set up replication between two hosts
I have
'Y' AS proxy_maybe
in password_query.
password_query returns one of this one hosts
I set this parameters in dovecot config:
disable_plaintext_auth = yes ssl = yes auth_mechanisms = plain login
for enforce use encrypted connections by client programs.
When the client connects to host imap2 directly, connection is encrypted, it is good.
| client | ---- (1) ----> |imap2 (proxy_maybe='y', host = imap2)|
And when the client connects to another host, I have (1) and (2) connections are encrypted
| client | ---- (1) ----> |imap1 (proxy_maybe='y', host = imap2)| ---- (2) ----> |imap2|
but need only (1).
How do I have desired behavior? Is it possible?
On Tue, 2013-02-19 at 12:39 +0400, Evgeny Basov wrote:
Hello.
I have two identically hosts
I have set up replication between two hosts
I have
'Y' AS proxy_maybe
in password_query.
password_query returns one of this one hosts
So the user typically goes to the same server, but on failures the query could return another host?
BTW. I'm hoping that at some point in future it would be enough to just set up two A records to DNS and client would connect automatically to the first one that works.
I set this parameters in dovecot config:
disable_plaintext_auth = yes ssl = yes auth_mechanisms = plain login
for enforce use encrypted connections by client programs.
When the client connects to host imap2 directly, connection is encrypted, it is good.
| client | ---- (1) ----> |imap2 (proxy_maybe='y', host = imap2)|
And when the client connects to another host, I have (1) and (2) connections are encrypted
| client | ---- (1) ----> |imap1 (proxy_maybe='y', host = imap2)| ---- (2) ----> |imap2|
but need only (1).
How do I have desired behavior? Is it possible?
Set login_trusted_networks so both servers trust each others. SSL isn't required then. Also the client's real IP address gets proxied to logs/etc then.
19.02.2013 12:54, Timo Sirainen пишет:
Set login_trusted_networks so both servers trust each others. SSL isn't required then. Also the client's real IP address gets proxied to logs/etc then.
With login_trusted_networks I have very strange behavior.
On every of two servers are presented external IP (EIP1&2) and internal IP (IIP1&2). Everyone are listened on all interfaces and trusted for connections from internal network:
listen = *, :: login_trusted_networks = IIP1 IIP2
Client connects on EIP1 and password_query returns
host=IIP2
Server1 proxed to IIP2, but it returns
Error: proxy(...): TTL reached zero - proxies appear to be looping?
I thought that algorithm of the proxy as follows:
Client connects to the EIP Query returns IIP1 or IIP2 If one of them is local, then no need proxy, direct connection, else — proxy to the remote IP.
As result we are get configuration with two replicated servers in master-master mode. Replication via SSH will be only available between remote SSH servers. If one of them fails then external cluster software (like pacemaker) migrates EIP and IIP on the live host and all must be fine. Replication with yourself will not work because SSH connection fails. When the broken server will be repaired, IPs migrates back and replication success.
On 19.2.2013, at 14.09, Evgeny Basov ya.mwork@yandex.ru wrote:
19.02.2013 12:54, Timo Sirainen пишет:
Set login_trusted_networks so both servers trust each others. SSL isn't required then. Also the client's real IP address gets proxied to logs/etc then.
With login_trusted_networks I have very strange behavior. .. Error: proxy(...): TTL reached zero - proxies appear to be looping?
Fixed: http://hg.dovecot.org/dovecot-2.2/rev/c43fcfa2c4b4 http://hg.dovecot.org/dovecot-2.2/rev/68c9d01ae5d2
At 12PM +0400 on 19/02/13 you (Evgeny Basov) wrote:
I set this parameters in dovecot config:
disable_plaintext_auth = yes ssl = yes auth_mechanisms = plain login
<snip> > > And when the client connects to another host, I have (1) and (2) > connections are encrypted > > | client | ---- (1) ----> |imap1 (proxy_maybe='y', host = imap2)| ---- > (2) ----> |imap2| > > but need only (1).
That's not a good idea. SSL is not very much overhead, and trusting your internal networks to the point of having plaintext passwords going over the wire is not very safe.
Ben
participants (3)
-
Ben Morrow
-
Evgeny Basov
-
Timo Sirainen