Doveadm HTTP API and CORS
Aki Tuomi
aki.tuomi at open-xchange.com
Fri Dec 13 21:32:17 EET 2019
> On 13/12/2019 21:28 Peter Chiochetti <pch at myzel.net> wrote:
>
>
> While toying around with Doveadmin HTTP api I noticed, there is not much
> hype around it. Let's change that.
>
> Doveadmin REST API so to speak provides a web server. When doing /ajax/
> requests, modern browsers block that, unless the response comes with a
> specific CORS header.
>
> Here how to work around with a proxy:
>
> > # /etc/dovecot/local.conf
> > doveadm_allowed_commands = fetch
> > doveadm_api_key = secret
> > service doveadm {
> > inet_listener http {
> > port = 8084
> > }
> > }
> > # secret64 = echo -n secret | base64
> > # /etc/apache/.../some-site.conf
> > ProxyVia Block
> > <Location /doveadm/v1>
> > RequestHeader set Authorization "X-Dovecot-API secret64"
> > ProxyPass http://localhost:8084/doveadm/v1 retry=0 timeout=5
> > ProxyPassReverse http://localhost:8084/doveadm/v1
> > </Location>
>
> Intranet only this might be good enough, TLS with username/password
> Basic-Authentication passthrough might be used for better security.
>
> Shameless plug: taken from
> https://gist.github.com/hungerburg/00d582bf1a6bf3c622797bf5e759f75b
>
> --
> peter
Hi!
doveadm http api is not intended to be exposed to untrusted network. Never do that. =)
Aki
More information about the dovecot
mailing list