<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>I think, I've got a response on Serverfault, that helps me and I
like to give a complete example here. I was able to proxy IMAP and
Submission with the following settings:</p>
<p>dovecot.conf:<br>
----<br>
ssl_cert = </etc/dovecot/private/dovecot.pem<br>
ssl_key = </etc/dovecot/private/dovecot.key<br>
</p>
<p>auth_cache_size = 4 k<br>
disable_plaintext_auth = no<br>
passdb {<br>
args = /etc/dovecot/sql.conf<br>
driver = sql<br>
}<br>
protocols = " imap pop3 submission"<br>
service auth {<br>
user = root<br>
}<br>
userdb {<br>
args = static uid=5000 gid=5000 home=/dev/null<br>
driver = static<br>
}<br>
<br>
<br>
service submission-login {<br>
inet_listener submission {<br>
port = 587<br>
<br>
}<br>
inet_listener submissions {<br>
port = 465<br>
ssl = yes<br>
}<br>
}<br>
----<br>
</p>
<p>and sql.conf<br>
----</p>
<p>## SQL passdb configuration<br>
# Database driver: mysql, pgsql<br>
driver = mysql<br>
# Database options<br>
# Only MySQL driver support multiple hosts for now.<br>
connect = host=localhost dbname=dovecot user=dovecot
password=dovecot<br>
# Query<br>
password_query = SELECT NULL as password, 'y' as nopassword, 'y'
as proxy, NULL as destuser, 'y' as proxy_nopipelining, host, 'y'
as nodelay, 'y' as nologin, 'any-cert' a<br>
s 'starttls' FROM proxy_domain WHERE domain = '%d';<br>
<br>
# eof<br>
----</p>
<p>The solution is to not use SSL but STARTTLS/TLS for all
protocols.</p>
<p>Would it be a good idea, to write that into the documentation?</p>
<p>bye<br>
Thoralf</p>
<p><br>
</p>
<div class="moz-cite-prefix">Am 01.09.20 um 13:59 schrieb Thoralf
Rickert-Wendt:<br>
</div>
<blockquote type="cite"
cite="mid:8dd74606-dc08-3ed3-0a9e-e3a2cbb0f136@acoby.de">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>Hi Philon,</p>
<p>now, it's time for "Mahlzeit" ;-)</p>
<p>Sorry, that I read the wiki1 instead of wiki2. I thought the 1
means that it is server one of ... my fault. Also not reading
the first line above the menu. My focus was really on the
content. ;-)</p>
<p>Also my problem with the doc of Dovecot2 proxy is, that the
document <a class="moz-txt-link-freetext"
href="https://doc.dovecot.org/configuration_manual/authentication/proxies/"
moz-do-not-send="true">https://doc.dovecot.org/configuration_manual/authentication/proxies/</a>
has less details for a domain only example. That works as in the
Dovecot1 doc, but it isn't documented anymore. Also the location
under "authentication" chapter in the Wiki didn't tell me, that
this is the "new Dovecot proxy documentation". I thought, this
was only related to authentication issues. I would recommend to
either restructure the wiki2, that it makes it more clear to the
user or make some notes on <a class="moz-txt-link-freetext"
href="https://doc.dovecot.org/admin_manual/dovecot_proxy/"
moz-do-not-send="true">https://doc.dovecot.org/admin_manual/dovecot_proxy/</a>
and link to the passdb setting on <a
class="moz-txt-link-freetext"
href="https://doc.dovecot.org/configuration_manual/forwarding_parameters/"
moz-do-not-send="true">https://doc.dovecot.org/configuration_manual/forwarding_parameters/</a>
and <a class="moz-txt-link-freetext"
href="https://doc.dovecot.org/configuration_manual/authentication/proxies/"
moz-do-not-send="true">https://doc.dovecot.org/configuration_manual/authentication/proxies/</a>.
Maybe there are other documents related to Proxy too, like the
SNI settings etc. But maybe I'm the only one on the planet, that
tries to use that. It feels a little bit like that.<br>
</p>
<p>The Director would be interesting, if all the mailservers in
the backend would know each other. But thats not the case.
Mailserver A and Mailserver B are hosting complete different
domains with a complete different user list and complete
different user admins, etc. Also mailcow doesnt enabled the
director. So it will not help much. But it could be interesting,
if I have multiple proxies.</p>
<p>Yes, the submission service inside Dovecot is there. And I
tried to avoid to install multiple "programs" and if there is
one "program" that handles it all, why don't use it. And I'd
like to quote the first line of the Dovecot proxy doc: "Dovecot
supports proxying IMAP, POP3, <a class="reference internal"
href="https://doc.dovecot.org/admin_manual/submission_server/#submission-server"
moz-do-not-send="true"><span class="std std-ref">Submission
Server</span></a>, <a class="reference internal"
href="https://doc.dovecot.org/configuration_manual/protocols/lmtp_server/#lmtp-server"
moz-do-not-send="true"><span class="std std-ref">LMTP Server</span></a>,
and <a class="reference internal"
href="https://doc.dovecot.org/admin_manual/pigeonhole_managesieve_server/#pigeonhole-managesieve-server"
moz-do-not-send="true"><span class="std std-ref">Pigeonhole
ManageSieve Server</span></a> connections to other hosts.".</p>
Also I tried to open the Dovecot authentication mechanism for
postfix (for submission) with<br>
<p><br>
service auth {<br>
user = root<br>
unix_listener /var/spool/postfix/private/auth {<br>
group = postfix<br>
mode = 0660<br>
user = postfix<br>
}<br>
}</p>
<p>And on Postfix part with</p>
<p>smtpd_sasl_auth_enabled = yes<br>
smtpd_sasl_type = dovecot<br>
smtpd_sasl_path = private/auth</p>
<p>But the postfix login is always accepted (even with wrong
passwords) and after I start to write a Mail the connection get
lost after RCPT command. There is another problem. Before I
infestigate it, I would try my luck with Dovecot. It is already
asking the correct backend submission server but with SSL on a
non-SSL port.</p>
<p>So - someone included the Submission protocol in Dovecot and
someone wrote, that the submission could be proxied - but - its
not completly documented or "it doesn't work" within a SSL
environment. I searched for a simple example, where IMAP and
POP3 are proxied via SSL and Submission too (which would mean,
that Dovecot submission listens on 465) or via STARTTLS on 587
and redirecting it also to STARTTLS/587. But I didn't find
anything. Also the submission documentation doesnt help, because
I cant see any line of configuration file in it. <br>
</p>
<p>Ok, but first - lunchtime.</p>
<p>bye<br>
Thoralf</p>
<div class="moz-cite-prefix">Am 01.09.20 um 09:43 schrieb Philon:<br>
</div>
<blockquote type="cite"
cite="mid:3C6DE842-15D9-4783-8097-FF7149F922B0@gmail.com">
<pre class="moz-quote-pre" wrap="">Hi Thoralf,
I’d say first of all you should read the current docs for 2.x not the archived stuff. —> <a class="moz-txt-link-freetext" href="https://wiki2.dovecot.org/" moz-do-not-send="true">https://wiki2.dovecot.org/</a> - (It’s even mentioned in bold in the header)
Then to front multiple backends perhaps you want to take a look at Dovecot Director. —> <a class="moz-txt-link-freetext" href="https://wiki2.dovecot.org/Director" moz-do-not-send="true">https://wiki2.dovecot.org/Director</a>
About SMTP I’m not sure why you would want to rely on Dovecot for that. I only do Postfix with Dovecot as auth backend so they can share passdb access. When you have 465 set up it is no big deal to also enable 587 in Postfixs master.cf.
If you want to keep Dovecot for Submission you can check the latest docs for Dovecot submission service: <a class="moz-txt-link-freetext" href="https://doc.dovecot.org/admin_manual/submission_server/" moz-do-not-send="true">https://doc.dovecot.org/admin_manual/submission_server/</a>. It has a relay server option with port. Also settings for STARTTLS etcpp can be found there.
Mahlzeit!
Philon
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">On 31 Aug 2020, at 11:33, Thoralf Rickert-Wendt <a class="moz-txt-link-rfc2396E" href="mailto:trw@acoby.de" moz-do-not-send="true"><trw@acoby.de></a> wrote:
Hello everyone,
it's my first post here on this mailing list and I hope, I make it right.
I posted a question on <a class="moz-txt-link-freetext" href="https://serverfault.com/questions/1031441/dovecot-as-proxy-with-submission" moz-do-not-send="true">https://serverfault.com/questions/1031441/dovecot-as-proxy-with-submission</a> and nobody was able to answer it. So I decided to push that question here (I'm talking about any new dovecot version and I've tested it with 2.3.4.1 (f79e8e7e4)).
I try to run a dovecot proxy in front of a big number of mail servers (serving SMTP-in, submission, IMAP, POP3, Sieve). I need that proxy, because I run out of IPv4 addresses. Of course I use IPv6 too, but many customers still have problems with there providers and they really don't want to share their mails on a "shared-mailserver". I planed to use Dovecot for IMAPS, POP3S, SMTP-submission(465) and postfix for the rest. If I find a solution for sieve, I would try that too, but that is very optional.
With the documentation <a class="moz-txt-link-freetext" href="https://wiki1.dovecot.org/HowTo/ImapProxy" moz-do-not-send="true">https://wiki1.dovecot.org/HowTo/ImapProxy</a> (which is really old and should be updated) and some other ascii docs (from an Apple mirror somewhere deep in the web) I was able to build a IMAP/POP3 proxy that forwards requests from outside to a specific backend using SSL (993,995). That works - I think.You can find the config on the serverfault page.
In general - all known domains in backend are using SSL and the passdb forwards all requests to the backend via SSL. So - I understand:||
|password_query =
SELECT
NULL AS password,
NULL AS destuser,
host,
'Y' AS nologin,
'Y' AS nodelay,
'Y' AS nopassword,
'Y' AS proxy,
'any-cert' AS `ssl`
FROM
proxy_domain
WHERE
domain = '%d' |
But that is only 50% of the show. The rest ist submission (and maybe sieve). Practically the submission implementation in dovecot works too. But because dovecot by default only opens port 587 (starttls), my passdb setting has a problem.
When I try to use that port Dovecot tries to use SSL on the backend/587 too - but that is wrong (it should either use 465 or should try to use starttls).
So, I have the following options.
- find a way to configure dovecot-proxy to listen on 465 with SSL for submission service and hope that it uses the same port
- but I didn't find any documentation for that and need help
- find a way to configure dovecot-proxy/passdb to return starttls=y when dovecot-submission is used (use a different passdb)
- but I didn't find any documentation for that and I'm not sure, if this worls on service/protocol level
- find a way to configure the passdb answer based on the used port/protocol. But I only know the parameter %u, %d and %p.
- so it would be nice to find a way to also select the protocol (if already developed)
- find a way to make a patch in dovecot (which isn't easy for me, because I don't really know the code)
Has somebody an idea, how I can configure the dovecot-proxy in that way.
bye
Thoralf
</pre>
</blockquote>
</blockquote>
</blockquote>
</body>
</html>