dovecot director and keepalived
Steven Varco
dovecot.org at bbs.varco.ch
Sun Mar 14 18:52:04 EET 2021
Hi All
I’m trying to establish a dovecot HA setup with two loadbalancers, running keepalived for sharing a virtual public IP.
On the same machines I’m running a dovecot director which proxies the requests to two underlying mail servers (on seperate machines).
Now I’m hitting the issue with the way director determines his „Self IP“ by trying to bind to all configured director_servers IPs, taking the first one possible.
However this approach only works, when the sysctl setting is: net.ipv4.ip_nonlocal_bind=0
On the other side keepalived needs net.ipv4.ip_nonlocal_bind=1 in order to bind the VIP.
The last topic on that is dating back to 2016 (https://dovecot.org/pipermail/dovecot/2016-August/105191.html) with references to 2012 (https://www.dovecot.org/list/dovecot/2012-November/087033.html) and no solution posted so far.
After five more years :D, I’m asking myself if we finally have a solution for that, or if my approach of achieving clustered director servers is potentially wrong?
Other possible solutions I could think about:
- Configure each director as „independent“ by setting only one IP in director_servers.
=> With this aporach you would loose the user to mailserver mapping, although only in a a case of a failover on the loadbalancer, which might can be neglected (or are there any other fallbacks?)
- Only have director running on the currently active loadblancer node and stopped on the passive loadblancer node (would possibly have the same effects as above).
- Putting director on seperated intermediate machines and proxing the requests through haproxy on the keepalived servers (keepalived -> haproxy -> director -> IMAP
=> Besides the disadvantage of having another bunch of servers in the chain, also some special configuration on the directory servers might be neccessary to assure director works neatly with haproxy.
So 2021, what is the „correct“ (best practive) way of having a reduntant HA setup for dovecot?
This means a MUA connects to one public IP and gets connected to (preferably the same) IMAP Server, no matter which machine in the whole chain might be down?
PS: Using just multiple A records on the mail domain name (round-robin), while working perfectly for SMTP is not accepatbl for IMAP IMHO, as in case of a failure every second request from the client (MUA) would fail and most MUAs are not automatially reconnecting again in that case.
thanks,
Steven
--
https://steven.varco.ch/
More information about the dovecot
mailing list