[Dovecot] dovecot 2.0.13 using LDAP and proxying IMAP4 and POP3 to gmail

Volker Scheuber vscheuber at novell.com
Sat Jul 16 22:46:35 EEST 2011 

Fellow dovecot users/contributors, 

I am building a POP3/IMAP4 proxy solution for an enterprise, where users can login with their common username and then they get single sign-on to all kinds of different applications in the backend. Some of these applications are SaaS apps like gmail. For gmail in particular, I want dovecot to solve the following issues for me: 

1.  be an IMAP4/POP3 proxy in the enterprise, proxying client requests to mail.com. 
2. change both username and password from what's coming in from the client to what's being proxied out to gmail. 
3. use LDAP for authentication 

As a prototype, I implemented #1 and #2 using passwd-files and after a few hours of try and error, I got it to work and was able to login with "username" and "password" and was proxied through to gmail with "username at gmail.com" and "gmailpassword". Totally awesome. 

Now I am stuck porting my working prototype from my laptop and passwd-files to my real lab environment and LDAP. I was able to get the authentication to work but that's about it. I can't get dovecot to do the proxying. I searched the mailing list archives and saw other people having similar issues, but that was almost 4 years ago... The most promising thread similar to my requirements and issues was this one: http://www.dovecot.org/list/dovecot/2007-September/025740.html but it was never fully answered nor did the suggestion given to that thread help me with my issue (but I did follow them). 

Here is my current configuration: 

dovecot -n 
# 2.0.13: /usr/local/etc/dovecot/dovecot.conf 
# OS: Linux 2.6.32.36-0.5-default x86_64 SUSE Linux Enterprise Server 11 (x86_64)  
auth_debug = yes 
auth_debug_passwords = yes 
auth_verbose = yes 
auth_verbose_passwords = plain 
disable_plaintext_auth = no 
mail_location = mbox:~/mail:INBOX=/var/mail/%n 
passdb { 
  args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext 
  driver = ldap 
  master = yes 
  pass = yes 
} 
passdb { 
  args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext 
  driver = ldap 
} 
ssl_cert = </etc/ssl/certs/dovecot.pem 
ssl_key = </etc/ssl/private/dovecot.pem 
userdb { 
  args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext 
  driver = ldap 
} 

My ldap configuration is: 

cat /usr/local/etc/dovecot/dovecot-ldap.conf.ext |grep -v ^##* |grep . 
hosts = 127.0.0.1:389 
dn = cn=user,ou=users,o=config 
dnpass = password 
auth_bind = yes 
auth_bind_userdn = cn=%n,ou=users,o=data 
ldap_version = 3 
base = ou=users,o=data 
deref = never 
scope = subtree 
user_attrs = =home=/var/mail,uidNumber=uid,gidNumber=gid 
user_filter = (&(objectClass=posixAccount)(uid=%n)) 
pass_attrs = mail=user,userPassword=password,uid=proxy,=ssl=any-cert,city=host,description=pass,cn=nologin 
pass_filter = (&(objectClass=posixAccount)(uid=%n)) 
iterate_filter = (objectClass=posixAccount) 
default_pass_scheme = CRYPT 

When connecting to dovecot through an IMAP client (evolution in my case) the dovecot log shows: 

Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth 
Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: auth client connected (pid=26601) 
Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: client in: AUTH1PLAINservice=imapsecuredlip=137.65.156.25rip=164.99.195.4lport=993rport=49203resp=AGFhYmVsbABOMHYzbGwxMjM0NTY= 
Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: client out: OK1user=aabell 
Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: master in: REQUEST3762290689266011e9ff0815dea78591a5437731034c14aa 
Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: ldap(aabell,164.99.195.4): user search: base=ou=users,o=data scope=subtree filter=(&(objectClass=posixAccount)(uid=aabell)) fields=uidNumber,gidNumber 
Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: ldap(aabell,164.99.195.4): result: gidNumber(gid)=1001 uidNumber(uid)=1001 
Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: master out: USER3762290689aabellgid=1001uid=1001home=/var/mail 
Jul 16 13:32:17 linux-1hen dovecot: imap-login: Login: user=<aabell>, method=PLAIN, rip=164.99.195.4, lip=137.65.156.25, mpid=26604, TLS 

It doesn't even seem to be recognizing the extra fields I defined in pass_attrs. So I changed my ldap configuration to: 

cat /usr/local/etc/dovecot/dovecot-ldap.conf.ext |grep -v ^##* |grep . 
hosts = 127.0.0.1:389 
dn = cn=supervisor,ou=sa,o=system 
dnpass = n0v3ll123 
auth_bind = yes 
auth_bind_userdn = cn=%n,ou=users,o=data 
ldap_version = 3 
base = ou=users,o=data 
deref = never 
scope = subtree 
user_attrs = mail=user,=home=/var/mail,uidNumber=uid,gidNumber=gid,=proxy=y,=ssl=any-cert,=host=209.85.225.109,description=pass,=nologin=y 
user_filter = (&(objectClass=posixAccount)(uid=%n)) 
pass_attrs = mail=user,userPassword=password 
pass_filter = (&(objectClass=posixAccount)(uid=%n)) 
iterate_filter = (objectClass=posixAccount) 
default_pass_scheme = CRYPT 

This time things looked much better, but still not good enough: 

Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth 
Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: auth client connected (pid=26787) 
Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: client in: AUTH1PLAINservice=imapsecuredlip=137.65.156.25rip=164.99.195.4lport=993rport=57079resp=AGFhYmVsbABOMHYzbGwxMjM0NTY= 
Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: client out: OK1user=aabell 
Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: master in: REQUEST159789875326787162fbc34468ae7853209715c05e11ad14 
Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: ldap(aabell,164.99.195.4): user search: base=ou=users,o=data scope=subtree filter=(&(objectClass=posixAccount)(uid=aabell)) fields=mail,uidNumber,gidNumber,description 
Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: auth(aabell,164.99.195.4): username changed aabell -> vscheuber at gmail.com 
Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: ldap(vscheuber at gmail.com,164.99.195.4): result: description(pass)=gmailpassword gidNumber(gid)=1001 uidNumber(uid)=1001 mail(user)=vscheuber at gmail.com 
Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: master out: USER1597898753vscheuber at gmail.compass=gmailpasswordgid=1001uid=1001home=/var/mailproxy=yssl=any-certhost=209.85.225.109nologin=y 
Jul 16 13:36:12 linux-1hen dovecot: imap-login: Login: user=<aabell>, method=PLAIN, rip=164.99.195.4, lip=137.65.156.25, mpid=26790, TLS 

I thought I'd also post here the log of my working prototype configuration with passwd-files. I would expect the ldap output to look similar in some key areas like proxying, but it doesn't: 

Jul 15 15:04:25 vscdevws dovecot: auth: Debug: client in: AUTH1PLAINservice=imapsecuredlip=::1rip=::1lport=143rport=36444resp=AHZzY2hldWJlcgBwYXNzd29yZA== 
Jul 15 15:04:25 vscdevws dovecot: auth: Debug: passwd-file(vscheuber,::1): lookup: user=vscheuber file=/etc/dovecot/users 
Jul 15 15:04:25 vscdevws dovecot: auth: Debug: auth(vscheuber,::1): username changed vscheuber -> vscheuber at gmail.com 
Jul 15 15:04:25 vscdevws dovecot: auth: Debug: client out: OK1user=vscheuber at gmail.comproxyhost=209.85.225.109port=993ssl=any-certpass=gmailpassword 
Jul 15 15:04:26 vscdevws dovecot: imap-login: proxy(vscheuber at gmail.com): started proxying to 209.85.225.109:993: user=<vscheuber at gmail.com>, method=PLAIN, rip=::1, lip=::1, secured 

If you read to this point, I say "thank you!" just for that. Please advise where my misconfiguration could be. 

Thank you very much, I appreciate your time and help! 
Volker

More information about the dovecot mailing list