Using both starttls and ssl in passdb on proxy results in timeouts

Filias Heidt fh at netzkommune.com
Tue Sep 18 11:33:57 EEST 2018 

I tried some more things, such as setting starttls=NULL or ssl=NULL, which does the same as setting it to „no“. Interestingly, if I set ssl=NULL and don’t set starttls at all, it still tries an SSL connection to the backend. 

Is there no way to use starttls or ssl depending on a variable? It could also be possible that I have starttls-backends and ssl-backends which would be a similar use-case to my sieve-thing, I think.

Cheers,
Filias

> Am 17.09.2018 um 11:54 schrieb Filias Heidt <fh at netzkommune.com>:
> 
> Hi List,
> 
> I have a dovecot which proxies to different backends depending on an entry in a mysql-database. The mysql-query sets ‚ssl‘ to ‚any-cert‘ and this works fine. But this causes me a problem: sieve-backends only support STARTTLS and if I set ‚ssl‘ to ‚any-cert‘ (or yes), it will attempt a TLS-connection to the sieve-backends, which fails. 
> 
> My attempt was to alter the query to include %{real_lport} and return ‚ssl=no‘ and ‚starttls=any-cert‘ if the port matches the sieve-port. It works as expected in that it returns the correct values and proxies to the correct backend. 
> 
> However it seems that TLS is no longer working and I get timeouts from the backends.
> 
> Debug: client passdb out: OK	1	user=someuser at example.com	proxy	proxy_nopipelining=y	host=backend1.example.com	nodelay=y	nologin	starttls=no	ssl=any-cert	hostip=so.me.i.p	pass=<hidden>
> 
> results in:
> Sep 17 11:08:47 imapproxy1 dovecot: imap-login: Error: proxy(someuser at example.com): Login for so.me.i.p:993 timed out in state=/none (after 30 secs, local=lo.cal.i.p:60524): user=<someuser at example.com>, method=PLAIN, rip=re.mo.te.ip, lip=lo.cal.i.p, TLS, session=<OySXgw12auwgARYIAAYABwAAAAAAAwAU>
> 
> My query looks like this:
> password_query = SELECT host from proxy_domain, NULL as password, 'y' as nopassword, 'y' as proxy, NULL as destuser, 'y' as proxy_nopipelining, 'y' as nodelay, 'y' as nologin, IF(%{real_lport}=4190, 'any-cert', 'no') as 'starttls', IF(%{real_lport}<>4190, 'any-cert', 'no') as 'ssl‘;
> 
> As soon as I remove the starttls-part and the passdb only returns ssl=any-cert (without starttls=no) it works flawlessly.
> 
> Is it possible that I am attacking the problem the wrong way? Or is it not possible to set both starttls and ssl to some values in passdb and enable/disable them as needed? 
> 
> Thanks for any input :)
> 
> Cheers,
> Filias

More information about the dovecot mailing list