[Dovecot] Dovecot proxy
Jiri Bourek
bourek at thinline.cz
Mon May 5 06:24:48 UTC 2014
Is it possible to use backend's passdb on the relay server in your setup?
If you are - for example - using SQL database as passdb on the backend,
you can access it from relay server as well. Let's say you have
"relay_enabled" column in the table of users, then you can use something
like:
select ... from users where user = ... and relay_enabled = true
Users, who are not permitted access from internet, will get
authentication failure
If your passdb can't be shared this way (unix accounts, passwd-file
etc.), this won't work of course. Maybe you can try to play around
allow_nets
(http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets),
possibly combined with login_trusted_networks on backend
The idea here is that your relay provides user's real IP and you use
allow_nets extra field to restrict access to your internal network only.
Not sure if this can work though, never tried.
Alex Ferrara wrote:
> Hi everyone,
>
> I have a problem that hopefully has an easy solution.
>
> I am setting up an IMAP proxy in a DMZ network. It will connect to
> the real IMAP server and authenticate using "driver = imap", and this
> I have working really nicely.
>
> What I want to do is have it look up a list of users that are allowed
> to connect through the proxy before proxying the connection, as not
> all users with an account are permitted to access their email from
> the internet. I thought that using a post-login script would get me
> out of trouble, but it isn't possible in a relay configuration.
>
>
>
> dovecot.conf
>
> ## Dovecot configuration file
>
> mail_uid = dovecot mail_gid = dovecot
>
> protocols = imap
>
> listen = *, ::
>
> passdb { driver = imap # IMAP server to authenticate against args =
> host=192.168.1.1 # IMAP server to connect to for mailbox
> default_fields = proxy=yes host=192.168.1.1 } userdb { driver =
> prefetch }
>
> auth_mechanisms = plain login
>
> # This is the auth service used by Postfix to do dovecot auth.
> service auth { unix_listener auth-userdb { } inet_listener { port =
> 12345 } }
>
> ## ## SSL settings ##
>
> # These will need to ba adjusted to point to *your* certificates, not
> mine 8-) # The ssl_ca line refers to the intermediate certificate
> bundle which may or may not be required by your SSL provider
>
> ssl_cert =</etc/ssl/certs/mail.domain.com.au.pem ssl_key
> =</etc/ssl/private/mail.domain.com.au.key #ssl_ca
> =</etc/pki/tls/certs/ca.crt ssl_cipher_list =
> ALL:!LOW:!SSLv2:!EXP:!aNULL
More information about the dovecot
mailing list