<p>Hello Sami,</p><p></p><p>Thanks for the info. I have the following implemented and working.</p><p></p><p>I am only using the Director nodes to map users to the same backend server. I perform all auth and message deliver/retrieval on the backend servers.</p><p></p><p>Director Nodes:</p><p></p><p>auth_master_user_separator = *</p><p>passdb {</p><p> driver = passwd-file</p><p> args = /etc/dovecot/conf.d/lasso-master-user-password</p><p> master = yes</p><p> pass = yes</p><p>}</p><p></p><p>passdb {</p><p> driver = static</p><p> args = proxy=y nopassword=y password=doesnotmatter</p><p>}</p><p></p><p>Backend Nodes:</p><p></p><p>auth_master_user_separator = *</p><p>passdb {</p><p> driver = passwd-file</p><p> args = /etc/dovecot/conf.d/master-user-password</p><p> master = yes</p><p> pass = yes</p><p>}</p><p></p><p>passdb {</p><p> driver = sql</p><p> args = /etc/dovecot/conf.d/sql.conf.ext</p><p>}</p><p></p><p>userdb {</p><p> driver = sql</p><p> args = /etc/dovecot/conf.d/sql.conf.ext</p><p>}</p><p></p><p>userdb {</p><p> driver=prefetch</p><p>}</p><p></p><p>I have read the docs that state configuring Director in this way can expose the service to issues if large amounts of unknown user requests are sent to the Director nodes. I can manage this risk by ensuring proper rate limiting is in place in the load balancers in front of Director nodes.</p><p></p><p>I would love to hear your thoughts on the configuration.</p><p></p><p>Thank in advance.</p>
<div id="umuse-quoted-text-marker">
<div class="gmail_quote">
<br>
On Feb 16 2018, at 3:02 am, Sami Ketola <sami.ketola@dovecot.fi> wrote:
<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<meta content="text/html; charset=us-ascii" /><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><br /><div><br /><blockquote type="cite"><div>On 15 Feb 2018, at 22.16, Travis Dolan <<a href="mailto:travis.dolan@gmail.com">travis.dolan@gmail.com</a>> wrote:</div><br /><div><p>It would look as though the changes have now negatively affected a "normal" user from logging in.</p><div><br /></div><p>telnet host 143</p><p>a login username password</p><div><br /></div><p>a NO [AUTHENTICATIONFAILED] Authentication failed.</p><div><br /></div><p>telnet host 143</p><p>1 login <a href="mailto:devteam*masteruser@example.com">devteam*masteruser@example.com</a> password</p><div><br /></div><p>1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE QUOTA] Logged in</p><div><br /></div><p>What do you think?</p></div></blockquote></div><br /><div>So your director is the first entry point where the end users connect?</div><div><br /></div><div>in that case your director should have passdb setup that verifies the user password and then </div><div>switches the session to use master password when forwarding the connection to backend.</div><div><br /></div><div>something like this in director:</div><div><br /></div><div>passdb {</div><div> driver = passwd-file</div><div> args = /data/mail.passwd</div><div> result_success = continue-ok</div><div>}</div><div><br /></div><div>passdb {</div><div> driver = static</div><div> args = pass=masterpassword </div><div> skip = unauthenticated</div><div>}</div><div><br /></div><div><br /></div><div>and in backend:</div><div><br /></div><div>passdb {</div><div> driver = static</div><div> args = password=masterpassword</div><div>}</div><div><br /></div><div>Sami</div><div><br /></div><div><br /></div></body>
</blockquote>
</div>
</div>