Dovecot proxying to some backend using LOGIN proxy_mech

Stephan Bosch stephan at rename-it.nl
Sun Oct 6 23:16:14 EEST 2019



On 21/09/2019 12:32, Sébastien Riccio via dovecot wrote:
>
> Hellolist,
>
> I am currently testing a setup for a PoC wit this configuration.
>
> - 1 x Frontend dovecot for proxying IMAP/POP3/LMTP/ManageSieve/Submission
>
> - 2 x Backend dovecot with local mail storage
>
> The frontend does the user authentification and communicate with the 
> backends using a master password
>
> The fronted accepts PLAIN and LOGIN auth mechanisms and talk with 
> backends using PLAIN auth mechanism (with the master password).
>
> This works very well, it's cool.
>
> Then, I've added to this setup an existing mail server (running 
> another mailserver software) as a 3rd backend, and would like the 
> frontend to also proxy for this, but this time not using master password.
>
> This is working for IMAP/POP3 when it uses PLAIN auth, but not for 
> Submission. The backend server in this case only accepts LOGIN auth 
> and not PLAIN on port 587.
>
> So I found out there is a field in the passdb we can add (proxy_mech), 
> and I've set it to LOGIN.
>
> The frontend seems to now use LOGIN auth mech to talk to this 3rd 
> backend, but the authentication still fails.
>
> According to the backend logs, tt seems dovecot proxy is now using 
> LOGIN auth, but sends garbage as username and/or password.
>
> Also IMAP that was working when using PLAIN doesn't work anymore with 
> LOGIN.
>

The Dovecot proxy is not strictly meant for proxying towards something 
other than Dovecot and you seem to have stumbled upon a bug/design 
flaw/protocol deviation in the client-side SASL LOGIN mechanism. An 
initial SASL response is sent (empty) even though the LOGIN mechanism 
doesn't define one.

Regards,

Stephan.



> Might this be a bug or this setup shouldn't be supported at all ?
>
> Passdb MySQL table on frontend:
>
> mysql> describe users;
>
> +-------------+--------------+------+-----+---------+-------+
>
> | Field       | Type         | Null | Key | Default | Extra |
>
> +-------------+--------------+------+-----+---------+-------+
>
> | user        | varchar(255) | NO   | PRI | NULL    |       |
>
> | domain      | varchar(255) | NO   | PRI | NULL    |       |
>
> | password    | varchar(255) | YES  |     | NULL    |       |
>
> | displayname | varchar(255) | YES  |     | NULL    |       |
>
> | host        | varchar(16)  | NO   |     | NULL    |       |
>
> | usemaster   | tinyint(1)   | NO   |     | 1       |       |
>
> | proxy_mech  | varchar(20)  | YES  |     | NULL    |       |
>
> | starttls    | varchar(20)  | YES  |     | NULL    |       |
>
> +-------------+--------------+------+-----+---------+-------+
>
> mailstore-01/02 are dovecot backends
>
> otherhost is the other mailserver I also would like to proxy through 
> dovecot proxy
>
> +---------+-----------------+-----------------------------------------+----------------+--------------+-----------+------------+----------+
>
> | user    | domain          | password                                
> | displayname    | host         | usemaster | proxy_mech | starttls |
>
> +---------+-----------------+-----------------------------------------+----------------+--------------+-----------+------------+----------+
>
> | user1   | somedomain.com  | {SHA512-CRYPT}<some_crypted_pass>       
> | Joe Black | mailstore-01 |         1 | NULL       | NULL     |
>
> | user2   | otherdomain.com | {SHA512-CRYPT}<some_crypted_pass>       
> | Mr. Smith | mailstore-02 |         1 | NULL       | NULL     |
>
> | user3   | area13.com      | NULL                                    
> | Donald Duck    | otherhost    |         0 | LOGIN      | any-cert |
>
> | user4   | area13.com      | NULL                                    
> | Thanks Obama   | otherhost    |         0 | LOGIN      | any-cert |
>
> +---------+-----------------+-----------------------------------------+----------------+--------------+-----------+------------+----------+
>
> Passdb query :
>
> password_query = \
>
>   SELECT concat(user, '@', domain) AS user, password, host, 'Y' AS 
> proxy, \
>
>     IF(usemaster is TRUE, 'supermasteruserl', NULL) as master, \
>
>     IF(usemaster is TRUE, 'supermasterpassword', pass) as pass, \
>
>     IF(usemaster is FALSE, 'Y', NULL) as nopassword, \
>
>     proxy_mech, \
>
>     starttls \
>
>     FROM users WHERE user = '%n' AND domain = '%d'
>
> Some questions I'm asking myself:
>
> Is proxying using LOGIN proxy_mech supported at all to auth on backends ?
>
> Is dovecot proxying to "otherhost" supposed to decode original client 
> auth (using PLAIN) and translate it to LOGIN format to auth with 
> "otherhost" ?
>
> # otherhost port 587 log
>
> Without specifying proxy_mech
>
> [2019.09.19] 09:27:22.167 [192.168.60.220][3070269] cmd: EHLO 
> dovecotproxy.local.domain
>
> [2019.09.19] 09:27:22.167 [192.168.60.220][3070269] rsp: 
> 250-dovecotproxy.local.domain Hello [192.168.60.220]250-SIZE 
> 52428800250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250-DSN250 OK
>
> [2019.09.19] 09:27:22.167 [192.168.60.220][3070269] cmd: AUTH PLAIN 
> <base64string>
>
> [2019.09.19] 09:27:22.167 [192.168.60.220][3070269] rsp: 504 
> Unrecognized authentication type.
>
> When using proxy_mech LOGIN
>
> [2019.09.20] 08:24:45.201 [192.168.60.220][24148464] cmd: AUTH LOGIN =
>
> [2019.09.20] 08:24:45.201 [192.168.60.220][24148464] Exception: The 
> input is not a valid Base-64 string as it contains a non-base 64 
> character, more than two padding characters, or an illegal character 
> among the padding characters.
>
> [2019.09.20] 08:24:45.201 [192.168.60.220][24148464] rsp: 535 
> Authentication failed
>
> # otherhost port 143 log
>
> Works without specyfing proxy_mech
>
> When using proxy_mech LOGIN (fails)
>
> [2019.09.20] 03:37:20.896 [192.168.60.220][26310645] connected at 
> 20.09.2019 03:37:20
>
> [2019.09.20] 03:37:20.896 [192.168.60.220][26310645] command: C CAPABILITY
>
> [2019.09.20] 03:37:20.896 [192.168.60.220][26310645] response: * 
> CAPABILITY IMAP4rev1 AUTH=CRAM-MD5 AUTH=PLAIN UIDPLUS QUOTA XLIST 
> CHILDREN ENABLE IDLE STARTTLS
>
> [2019.09.20] 03:37:20.896 [192.168.60.220][26310645] response: C OK 
> CAPABILITY completed
>
> [2019.09.20] 03:37:20.896 [192.168.60.220][26310645] command: L 
> AUTHENTICATE LOGIN
>
> [2019.09.20] 03:37:20.927 [192.168.60.220][26310645] disconnected at 
> 20.09.2019 03:37:20
>
> I hope I explained my setup so it's kinda understandable. I'm not good 
> at explaining things :)
>
> Thank you for your help!
>
> root at mailfront-01:~# dovecot --version
>
> 2.3.7.2 (3c910f64b)
>
> *Sébastien RICCIO*
>
> *SYSTEM ADMINISTRATOR*
>



More information about the dovecot mailing list