Timo,
On 5/31/10 6:04 AM, "Timo Sirainen" <tss@iki.fi> wrote:
Well .. maybe you could use separate services. Have the proxy listen on public IP and the backend listen on localhost. Then you can do:
local_ip 127.0.0.1 { passdb { .. } }
and things like that. I think it would work, but I haven't actually tried.
It doesn't seem to be honoring the passdb setting within the local block. I've got a single host set up with director, and itself listed as a mail server:
director_servers = 128.223.142.138 director_mail_servers = 128.223.142.138 userdb { driver = passwd } passdb { driver = sql args = /etc/dovecot/proxy-sqlite.conf } local 127.0.0.1 { passdb { driver = pam } }
If I telnet to localhost and attempt to log in, the logs show:
May 31 14:39:34 cc-popmap7 dovecot: auth: Debug: client in: AUTH 1 PLAIN service=imap secured lip=127.0.0.1 rip=127.0.0.1 lport=143 rport=60417 resp=<hidden> May 31 14:39:34 cc-popmap7 dovecot: auth: Debug: sql(brandond,127.0.0.1): query: SELECT null AS password, 'Y' AS nopassword, 'Y' AS proxy May 31 14:39:34 cc-popmap7 dovecot: auth: Debug: client out: OK 1 user=brandond proxy pass=<hidden> May 31 14:39:34 cc-popmap7 dovecot: auth: Debug: client in: AUTH 1 PLAIN service=imap secured lip=128.223.142.138 rip=128.223.142.138 lport=143 rport=44453 resp=<hidden> May 31 14:39:34 cc-popmap7 dovecot: auth: Debug: sql(brandond,128.223.142.138): query: SELECT null AS password, 'Y' AS nopassword, 'Y' AS proxy May 31 14:39:34 cc-popmap7 dovecot: auth: Debug: client out: OK 1 user=brandond proxy pass=<hidden> May 31 14:39:34 cc-popmap7 dovecot: imap-login: Error: Proxying loops to itself: user=<brandond>, method=PLAIN, rip=128.223.142.138, lip=128.223.142.138, secured, mailpid=0 May 31 14:39:34 cc-popmap7 dovecot: auth: Debug: new auth connection: pid=4700 May 31 14:39:34 cc-popmap7 dovecot: imap-login: Disconnected (auth failed, 1 attempts): user=<brandond>, method=PLAIN, rip=128.223.142.138, lip=128.223.142.138, secured, mailpid=0
Even if the alternate passdb worked, how would I get it to connect to the backend on localhost? It looks like the proxy connection comes in over the external IP even if it's to itself, as the external address is what's specified as the proxy destination by the director.
I do have a private network that I run NFS over; I suppose I could run the proxy on the external, backend on the internal, and use only the internal IPs in the mailserver list. I've also tried that, but it doesn't seem to work either due to the passdb setting not being honored within local|remote blocks.
Even if it did, wouldn't it still complain about the proxy looping back to itself since both lip and rip would both be local addresses? Unless the loopback check just compares to see if they're the same... Either way, it seems like having proxy_maybe work with the director service would make the whole setup a lot simpler.
There's not yet a static passdb .. perhaps there should be. But you could use e.g. sqlite backend for the proxy and use:
password_query = select null as password, 'Y' as nopassword, 'Y' as proxy
That seems to work well enough, with the major caveat noted above.