Proxy secured incoming POP3/IMAP4 to unsecure backend?

Alexander Chekalin alexander.chekalin at gmail.com
Mon Sep 17 17:37:02 EEST 2018


Ok, got that!

After I remover ssl=no it seems to start working as expected. Will know
that 'by design' feature for Dovecot, THANK YOU!

On Mon, Sep 17, 2018 at 5:34 PM Aki Tuomi <aki.tuomi at dovecot.fi> wrote:

> auth process receives the protocol requested when performing
> authentication as variable %s (see https://wiki2.dovecot.org/Variables)
>
> You can use this to choose the value you return for port.
>
> Aki
>
> > On 17 September 2018 at 16:56 Alexander Chekalin <
> alexander.chekalin at gmail.com> wrote:
> >
> >
> > Seen that URL but port= is strange due to there is no protocol
> connection.
> > So if I set port=12345 then what proto will I see there? Misleading
> setting
> > this is why I mentioned (non-existing) per-proto port setting above.
> >
> > May I please ask for any example on how to pass port per proto? It is a
> bit
> > fuzzy for me to figure it out but I do believe you used to use it
> somehow.
> >
> > On Mon, Sep 17, 2018 at 4:42 PM Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
> >
> > > The port is determined with port=nnn setting. You can't return
> > > per-protocol port like that, you need to look at the protocol
> requested by
> > > user and return port based on that, or you can omit port to default
> into
> > > "standard port".
> > >
> > > not using ssl/starttls is default.
> > >
> > > > On 17 September 2018 at 16:35 Alexander Chekalin <
> > > alexander.chekalin at gmail.com> wrote:
> > > >
> > > >
> > > > Thank you!
> > > >
> > > > Ok, so I can omit ssl=no and startssl=no, and this results in default
> > > > settings for ssl which is 'off'? Or the defaults are 'on' anyway?
> > > >
> > > > Can I somehow specify ports on remote hosts that proxy will use to
> > > connect
> > > > to? Like (just image): 'proxy host_imap=10.1.1.1:143 host_pop=
> > > 10.1.1.1:110'
> > > > or somehow?
> > > >
> > > >
> > > >
> > > >
> > > > On Mon, Sep 17, 2018 at 4:33 PM Aki Tuomi <aki.tuomi at dovecot.fi>
> wrote:
> > > >
> > > > > Due to certain design issues, the ssl=no is actually same as
> ssl=yes,
> > > same
> > > > > goes for starttls=no. So there is no support actually for "ssl=no"
> at
> > > this
> > > > > moment.
> > > > >
> > > > > Aki
> > > > >
> > > > > > On 17 September 2018 at 15:32 Alexander Chekalin <
> > > > > alexander.chekalin at gmail.com> wrote:
> > > > > >
> > > > > >
> > > > > > Surely.
> > > > > >
> > > > > > Here it is:
> > > > > >
> > > > > > # doveadm auth user at domain.com
> > > > > > Password:
> > > > > > passdb: chekalin_krg at ascon.ru auth succeeded
> > > > > > extra fields:
> > > > > >   user=user at domain.com
> > > > > >   proxy
> > > > > >   host=10.10.14.131
> > > > > >   ssl=no
> > > > > >   startssl=no
> > > > > >   source_ip=10.10.14.2
> > > > > >   proxy
> > > > > >   proxy
> > > > > >   pass=password
> > > > > >
> > > > > > Two "proxy" are from two "proxy" and "proxy=yes" settings passed
> from
> > > > > > passdb.
> > > > > >
> > > > > > On Mon, Sep 17, 2018 at 3:03 PM Aki Tuomi <aki.tuomi at dovecot.fi>
> > > wrote:
> > > > > >
> > > > > > > Can you provide output of
> > > > > > >
> > > > > > > doveadm auth test some-user
> > > > > > > Aki
> > > > > > >
> > > > > > > On 17.09.2018 14:58, Alexander Chekalin wrote:
> > > > > > >
> > > > > > > Dear Aki,
> > > > > > >
> > > > > > > we keep our users in LDAP so I when I even return 'proxy
> > > > > host=backend_ip
> > > > > > > tls=no' it won't use non-TLS connection. The same is when I
> remove
> > > > > 'tls=no'
> > > > > > > part. May there be any extra things I need to pass when I use
> LDAP?
> > > > > > >
> > > > > > > On Mon, Sep 17, 2018 at 2:07 PM Aki Tuomi <
> aki.tuomi at dovecot.fi>
> > > > > wrote:
> > > > > > >
> > > > > > >>
> > > > > > >>
> > > > > > >> On 17.09.2018 13:59, Alexander Chekalin wrote:
> > > > > > >> > Hi,
> > > > > > >> >
> > > > > > >> > I try to set up dovecot as a proxy server, to proxy
> requests to
> > > > > > >> > several dovecot-based backend servers. I wand external
> clients
> > > who
> > > > > > >> > connects to this proxy Dovecot to use TLS (this is easy to
> set
> > > up)
> > > > > > >> > while want to have unsecured (plain IMAP/POP) connections to
> > > > > backends.
> > > > > > >> >
> > > > > > >> > You see, links to backends are over LAN so no TLS needed,
> and
> > > these
> > > > > > >> > backends are poor old machines (with old Docecots like
> 2.0.6)
> > > this
> > > > > is
> > > > > > >> > why I don't want to use TLS to acces backends.
> > > > > > >> >
> > > > > > >> > But as I did the test setup I can see proxy Dovecot uses
> TLS to
> > > > > > >> > connect to backends. Is there any way I can specify this
> aspect
> > > of
> > > > > > >> > Dovecot proxy?
> > > > > > >> >
> > > > > > >> > Please advice!
> > > > > > >> >
> > > > > > >> > Yours,
> > > > > > >> >   Alexander
> > > > > > >>
> > > > > > >> Dovecot does not use TLS/SSL when connecting to a backend
> server
> > > by
> > > > > > >> default, you are probably specifying this in your proxy
> config or
> > > > > > >> password database.
> > > > > > >>
> > > > > > >> Aki
> > > > > > >>
> > > > > > >
> > > > > > >
> > > > >
> > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180917/48e98c81/attachment-0001.html>


More information about the dovecot mailing list