Director & Master Users

Travis Dolan travis.dolan at gmail.com
Fri Feb 16 18:29:43 EET 2018


Hello Sami,

Thanks for the info. I have the following implemented and working.

I am only using the Director nodes to map users to the same backend server. I
perform all auth and message deliver/retrieval on the backend servers.

Director Nodes:

auth_master_user_separator = *

passdb {

driver = passwd-file

args = /etc/dovecot/conf.d/lasso-master-user-password

master = yes

pass = yes

}

passdb {

driver = static

args = proxy=y nopassword=y password=doesnotmatter

}

Backend Nodes:

auth_master_user_separator = *

passdb {

driver = passwd-file

args = /etc/dovecot/conf.d/master-user-password

master = yes

pass = yes

}

passdb {

driver = sql

args = /etc/dovecot/conf.d/sql.conf.ext

}

userdb {

driver = sql

args = /etc/dovecot/conf.d/sql.conf.ext

}

userdb {

driver=prefetch

}

I have read the docs that state configuring Director in this way can expose
the service to issues if large amounts of unknown user requests are sent to
the Director nodes. I can manage this risk by ensuring proper rate limiting is
in place in the load balancers in front of Director nodes.

I would love to hear your thoughts on the configuration.

Thank in advance.

  
On Feb 16 2018, at 3:02 am, Sami Ketola <sami.ketola at dovecot.fi> wrote:  

>  

>

>  

>

>> On 15 Feb 2018, at 22.16, Travis Dolan
<[travis.dolan at gmail.com](mailto:travis.dolan at gmail.com)> wrote:

>>

>>  

>>

>> It would look as though the changes have now negatively affected a "normal"
user from logging in.

>>

>>  

>>

>> telnet host 143

>>

>> a login username password

>>

>>  

>>

>> a NO [AUTHENTICATIONFAILED] Authentication failed.

>>

>>  

>>

>> telnet host 143

>>

>> 1 login
[devteam*masteruser at example.com](mailto:devteam*masteruser at example.com)
password

>>

>>  

>>

>> 1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT
MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-
EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN
CONTEXT=SEARCH LIST-STATUS BINARY MOVE QUOTA] Logged in

>>

>>  

>>

>> What do you think?

>

>  

>

> So your director is the first entry point where the end users connect?

>

>  

>

> in that case your director should have passdb setup that verifies the user
password and then

>

> switches the session to use master password when forwarding the connection
to backend.

>

>  

>

> something like this in director:

>

>  

>

> passdb {

>

>   driver = passwd-file

>

>   args = /data/mail.passwd

>

>   result_success = continue-ok

>

> }

>

>  

>

> passdb {

>

>   driver = static

>

>   args = pass=masterpassword

>

>   skip = unauthenticated

>

> }

>

>  

>

>  

>

> and in backend:

>

>  

>

> passdb {

>

>   driver = static

>

>   args = password=masterpassword

>

> }

>

>  

>

> Sami

>

>  

>

>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180216/995e0af7/attachment.html>


More information about the dovecot mailing list