How to configure dovecot imap to listen on multiple ports?
I need my dovecot imap server to listen on ports 143, 993, and also 30143 and 30993.
What syntax do I use in (I presume) the /etc/dovecot/conf.d/10-master.conf file to do this?
Thanks!
Rick
Am 24.08.2014 um 22:45 schrieb Rick Thomas:
I need my dovecot imap server to listen on ports 143, 993, and also 30143 and 30993.
no idea what that should gain
What syntax do I use in (I presume) the /etc/dovecot/conf.d/10-master.conf file to do this?
but try to duplicate thes settings
(no i don't use "conf.d" directorys anywhere for good reasons)
configure imap-proxy
service imap-login { inet_listener imap { address = * port = 143 } inet_listener imaps { address = * port = 993 } vsz_limit = 64M service_count = 1 process_min_avail = 0 process_limit = 100 }
On Aug 24, 2014, at 1:59 PM, Reindl Harald <h.reindl@thelounge.net> wrote:
Am 24.08.2014 um 22:45 schrieb Rick Thomas:
I need my dovecot imap server to listen on ports 143, 993, and also 30143 and 30993.
no idea what that should gain
I have a dovecot imap server inside a NAT/firewall.
The NAT translates calls to port 30143 and 30993 (not the real ports, but just for example) coming from outside to 143 and 993 inside. So machines outside the NAT that want to talk to the server use ports 30xxx and machines inside the NAT use the regular ports.
Which works fine for machines that are at fixed locations. But a laptop that’s sometimes inside, sometimes outside doesn’t have a fixed port to connect to. For those cases, I’d like the dovecot server to recognize the outside ports on the inside.
What syntax do I use in (I presume) the /etc/dovecot/conf.d/10-master.conf file to do this?
but try to duplicate these settings
(no i don't use "conf.d" directorys anywhere for good reasons)
configure imap-proxy
service imap-login { inet_listener imap { address = * port = 143 } inet_listener imaps { address = * port = 993 } vsz_limit = 64M service_count = 1 process_min_avail = 0 process_limit = 100 }
Can I have multiple “service” clauses for the same service? Each with a different port? Or multiple “inet_listener imap”/“inet_listener imaps” clauses? Or should I have something like this? port = 143,30143
On -10.01.-28163 20:59, Rick Thomas wrote:
But a laptop that’s sometimes inside, sometimes outside doesn’t have a fixed port to connect to. For those cases, I’d like the dovecot server to recognize the outside ports on the inside.
Well, if offering the *exact same* functionality on a second port is all that needs to be done, having the server's host firewall (iptables?) duplicate the NAT on your border firewall for internal accesses should do just fine; no need to majick it into the dovecot config (which opens the possibility of functional differences being introduced unintentionally).
Assuming Red Hat or similar with no conflicting iptables rules (yet),
iptables -t nat -A PREROUTING -p tcp --dport 30xxx -j DNAT --to :143
iptables -t nat -A PREROUTING -p tcp --dport 30yyy -j DNAT --to :993
service iptables save
Regards, J. Bern
*NEU* - NEC IT-Infrastruktur-Produkte im <http://www.linworks-shop.de/>: Server--Storage--Virtualisierung--Management SW--Passion for Performance Jochen Bern, Systemingenieur --- LINworks GmbH <http://www.LINworks.de/> Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27 Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202 Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel
On 08/24/2014 05:26 PM, Rick Thomas wrote:
Can I have multiple “service” clauses for the same service? Each with a different port? Or multiple “inet_listener imap”/“inet_listener imaps” clauses? Or should I have something like this? port = 143,30143
This works:
service imap-login { inet_listener imap { port = 143 } inet_listener imap2 { port = 144 } #inet_listener imaps {
port = 993
ssl = yes
#} }
On 08/25/2014 08:26 AM, Jochen Bern wrote:
Well, if offering the*exact same* functionality on a second port is all that needs to be done, having the server's host firewall (iptables?) duplicate the NAT on your border firewall for internal accesses should do just fine; no need to majick it into the dovecot config (which opens the possibility of functional differences being introduced unintentionally).
Assuming Red Hat or similar with no conflicting iptables rules (yet),
iptables -t nat -A PREROUTING -p tcp --dport 30xxx -j DNAT --to :143
iptables -t nat -A PREROUTING -p tcp --dport 30yyy -j DNAT --to :993
service iptables save
Regards, Since you're redirecting to a port on the same host, the following is perhaps more correct:
iptables -t nat -A PREROUTING -p tcp --dport 30143 -j REDIRECT --to-port 143
Thanks! Gedalya and Jochen!
I hadn’t realized I could do that with iptables. I’ll read-up on the documentation.
Rick
On Aug 25, 2014, at 5:38 AM, Gedalya <gedalya@gedalya.net> wrote:
On 08/25/2014 08:26 AM, Jochen Bern wrote:
Well, if offering the*exact same* functionality on a second port is all that needs to be done, having the server's host firewall (iptables?) duplicate the NAT on your border firewall for internal accesses should do just fine; no need to majick it into the dovecot config (which opens the possibility of functional differences being introduced unintentionally).
Assuming Red Hat or similar with no conflicting iptables rules (yet),
iptables -t nat -A PREROUTING -p tcp --dport 30xxx -j DNAT --to :143
iptables -t nat -A PREROUTING -p tcp --dport 30yyy -j DNAT --to :993
service iptables save
Regards, Since you're redirecting to a port on the same host, the following is perhaps more correct:
iptables -t nat -A PREROUTING -p tcp --dport 30143 -j REDIRECT --to-port 143
OK, project for today: Give this a try…
Rick
On Aug 25, 2014, at 5:34 AM, Gedalya <gedalya@gedalya.net> wrote:
On 08/24/2014 05:26 PM, Rick Thomas wrote:
Can I have multiple “service” clauses for the same service? Each with a different port? Or multiple “inet_listener imap”/“inet_listener imaps” clauses? Or should I have something like this? port = 143,30143
This works:
service imap-login { inet_listener imap { port = 143 } inet_listener imap2 { port = 144 } #inet_listener imaps {
port = 993
ssl = yes
#} }
On -10.01.-28163 20:59, Gedalya wrote:
On 08/25/2014 08:26 AM, Jochen Bern wrote:
Assuming Red Hat or similar with no conflicting iptables rules (yet),
iptables -t nat -A PREROUTING -p tcp --dport 30xxx -j DNAT --to :143
Since you're redirecting to a port on the same host, the following is perhaps more correct: iptables -t nat -A PREROUTING -p tcp --dport 30143 -j REDIRECT --to-port 143
The operational word being "perhaps". My approach will break if the server does any forwarding, yours will break if dovecot listens only on a secondary IP address, or at least that's what the manpage I grabbed off a CentOS 6 says:
REDIRECT [...] It redirects the packet to the machine itself by changing the ^^^^^^^^^^^^ destination IP to the primary address of the incoming interface ^^^^^^^^^^^^^^^^^^^^^^#######^^^^^^^^ (locally-generated packets are mapped to the 127.0.0.1 address).
Regards, J. Bern
*NEU* - NEC IT-Infrastruktur-Produkte im <http://www.linworks-shop.de/>: Server--Storage--Virtualisierung--Management SW--Passion for Performance Jochen Bern, Systemingenieur --- LINworks GmbH <http://www.LINworks.de/> Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27 Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202 Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel
On 08/25/2014 05:17 PM, Jochen Bern wrote:
On -10.01.-28163 20:59, Gedalya wrote:
On 08/25/2014 08:26 AM, Jochen Bern wrote:
Assuming Red Hat or similar with no conflicting iptables rules (yet),
iptables -t nat -A PREROUTING -p tcp --dport 30xxx -j DNAT --to :143
Since you're redirecting to a port on the same host, the following is perhaps more correct: iptables -t nat -A PREROUTING -p tcp --dport 30143 -j REDIRECT --to-port 143 The operational word being "perhaps". My approach will break if the server does any forwarding, yours will break if dovecot listens only on a secondary IP address, or at least that's what the manpage I grabbed off a CentOS 6 says: That REDIRECT rule can definitely not be used in that exact form if the machine does forwarding. It will make anyone trying to reach port xxxxx on any destination arrive at this IMAP server, unless you add a condition such as -d 192.168.x.x Indeed, if the machine is also a router and dovecot only listens on a specific IP address then you would have to use DNAT to specify the destination IP address and port. Perhaps the use of the word "correct" was wrong, REDIRECT is just typically used in such cases where the machine is anyway not a router so it's kind of a more readable way to say "redirect this traffic from this machine itself to this machine itself", although REDIRECT is generally intended to be used on a router to force traffic _not_ destined for this machine to go to this machine, e.g. setting up a transparent proxy.
So you can say: iptables -t nat -A PREROUTING -p tcp -d 192.168.1.11 --dport 30143 -j REDIRECT --to-port 143 Or: iptables -t nat -A PREROUTING -p tcp -d 192.168.1.11 --dport 30143 -j DNAT --to-destination xx.xx.xx.xx:143
The latter redirects traffic destined to a specific IP address and port, 192.168.1.11:30143, to a specific IP address and port (presumably on the same host, or not..).
REDIRECT [...] It redirects the packet to the machine itself by changing the ^^^^^^^^^^^^ destination IP to the primary address of the incoming interface ^^^^^^^^^^^^^^^^^^^^^^#######^^^^^^^^ (locally-generated packets are mapped to the 127.0.0.1 address). Regards, J. Bern
I'm running Debian Wheezy with Dovecot version 2.1.7. The following works for me:
------------- /etc/dovecot/local.conf ----------- service imap-login { inet_listener imap { #port = 143 } inet_listener imaps { port = 7993 ssl = yes } inet_listener imaps2 { port = 993 ssl = yes }
Number of connections to handle before starting a new process. Typically
the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
is faster. <doc/wiki/LoginProcess.txt>
#service_count = 1
Number of processes to always keep waiting for more connections.
#process_min_avail = 0
If you set service_count=0, you probably need to grow this.
#vsz_limit = $default_vsz_limit } ------------- /etc/dovecot/local.conf -----------
Thanks for all the help!
Rick
participants (4)
-
Gedalya
-
Jochen Bern
-
Reindl Harald
-
Rick Thomas