Dovecot Proxy

[Philon]

Hi Thoralf,

I’d say first of all you should read the current docs for 2.x not the archived stuff. —> https://wiki2.dovecot.org/ - (It’s even mentioned in bold in the header)

Then to front multiple backends perhaps you want to take a look at Dovecot Director. —> https://wiki2.dovecot.org/Director

About SMTP I’m not sure why you would want to rely on Dovecot for that. I only do Postfix with Dovecot as auth backend so they can share passdb access. When you have 465 set up it is no big deal to also enable 587 in Postfixs master.cf.

If you want to keep Dovecot for Submission you can check the latest docs for Dovecot submission service: https://doc.dovecot.org/admin_manual/submission_server/. It has a relay server option with port. Also settings for STARTTLS etcpp can be found there.


Mahlzeit!

Philon

> On 31 Aug 2020, at 11:33, Thoralf Rickert-Wendt <trw at acoby.de> wrote:
> 
> Hello everyone,
> 
> it's my first post here on this mailing list and I hope, I make it right.
> 
> I posted a question on https://serverfault.com/questions/1031441/dovecot-as-proxy-with-submission and nobody was able to answer it. So I decided to push that question here (I'm talking about any new dovecot version and I've tested it with 2.3.4.1 (f79e8e7e4)).
> 
> I try to run a dovecot proxy in front of a big number of mail servers (serving SMTP-in, submission, IMAP, POP3, Sieve). I need that proxy, because I run out of IPv4 addresses. Of course I use IPv6 too, but many customers still have problems with there providers and they really don't want to share their mails on a "shared-mailserver". I planed to use Dovecot for IMAPS, POP3S, SMTP-submission(465) and postfix for the rest. If I find a solution for sieve, I would try that too, but that is very optional.
> 
> With the documentation https://wiki1.dovecot.org/HowTo/ImapProxy (which is really old and should be updated) and some other ascii docs (from an Apple mirror somewhere deep in the web) I was able to build a IMAP/POP3 proxy that forwards requests from outside to a specific backend using SSL (993,995). That works - I think.You can find the config on the serverfault page.
> 
> In general - all known domains in backend are using SSL and the passdb forwards all requests to the backend via SSL. So - I understand:||
> 
> |password_query =
>   SELECT
>     NULL AS password,
>     NULL AS destuser,
>     host,
>     'Y' AS nologin,
>     'Y' AS nodelay,
>     'Y' AS nopassword,
>     'Y' AS proxy,
>     'any-cert' AS `ssl`
>   FROM
>     proxy_domain
>   WHERE
>     domain = '%d' |
> 
> But that is only 50% of the show. The rest ist submission (and maybe sieve). Practically the submission implementation in dovecot works too. But because dovecot by default only opens port 587 (starttls), my passdb setting has a problem.
> 
> When I try to use that port Dovecot tries to use SSL on the backend/587 too - but that is wrong (it should either use 465 or should try to use starttls).
> 
> So, I have the following options.
> 
> - find a way to configure dovecot-proxy to listen on 465 with SSL for submission service and hope that it uses the same port
>   - but I didn't find any documentation for that and need help
> 
> - find a way to configure dovecot-proxy/passdb to return starttls=y when dovecot-submission is used (use a different passdb)
>   - but I didn't find any documentation for that and I'm not sure, if this worls on service/protocol level
> 
> - find a way to configure the passdb answer based on the used port/protocol. But I only know the parameter %u, %d and %p.
>   - so it would be nice to find a way to also select the protocol (if already developed)
> 
> - find a way to make a patch in dovecot (which isn't easy for me, because I don't really know the code)
> 
> Has somebody an idea, how I can configure the dovecot-proxy in that way.
> 
> bye
> Thoralf
> 
>