[Dovecot] A new director service in v2.0 for NFS installations

Timo Sirainen tss at iki.fi
Tue Jun 1 02:13:41 EEST 2010


On 31.5.2010, at 23.59, Brandon Davidson wrote:

You need to put the other passdb/userdb to the external IP:

local 1.2.3.4 {
> userdb {
>  driver = passwd
> }
> passdb {
>  driver = sql
>  args = /etc/dovecot/proxy-sqlite.conf
> }

}

> Even if the alternate passdb worked, how would I get it to connect to the
> backend on localhost? It looks like the proxy connection comes in over the
> external IP even if it's to itself, as the external address is what's
> specified as the proxy destination by the director.

Yeah, you're right.. You could have it be listening on a different port. But there is no local_port {} block yet. Well, unless you changed the sqlite config so that it has ".. where %a=143". Then also return "14300 as port" or something.

> I do have a private network that I run NFS over; I suppose I could run the
> proxy on the external, backend on the internal, and use only the internal
> IPs in the mailserver list. I've also tried that, but it doesn't seem to
> work either due to the passdb setting not being honored within local|remote
> blocks. 

I guess that'd work too.

> Even if it did, wouldn't it still complain about the proxy looping back to
> itself since both lip and rip would both be local addresses? Unless the
> loopback check just compares to see if they're the same...

That's how it does. lip=rip and lport=rport is required.

> Either way, it
> seems like having proxy_maybe work with the director service would make the
> whole setup a lot simpler.

Hmm. I guess it could work like:

1. Director forwards auth lookup
2. Receives proxy=y with no host (auth process forgets about this request - user can't login with it)
3. Gets the remote IP
4. Figures out that it is the same IP and port where client connected
5. Either it has the username+password or master user+username+master password
6. It does another auth lookup, also giving some input parameter so that auth process will be forced to ignore the proxy and keep the request around so user can login
7. Director forwards the reply to login process, dropping the proxy stuff

The main thing to be implemented would be the "some input parameter". Maybe it could be just that it sets rip=lip and rport=lport and you could compare those (or just lip=rip) in the sql query.


More information about the dovecot mailing list