On 13/12/2019 21:28 Peter Chiochetti <pch@myzel.net> wrote:

While toying around with Doveadmin HTTP api I noticed, there is not much hype around it. Let's change that.

Doveadmin REST API so to speak provides a web server. When doing /ajax/ requests, modern browsers block that, unless the response comes with a specific CORS header.

Here how to work around with a proxy:

...

/etc/dovecot/local.conf

doveadm_allowed_commands = fetch doveadm_api_key = secret service doveadm { inet_listener http { port = 8084 } }

secret64 = echo -n secret | base64

/etc/apache/.../some-site.conf

ProxyVia Block <Location /doveadm/v1> RequestHeader set Authorization "X-Dovecot-API secret64" ProxyPass http://localhost:8084/doveadm/v1 retry=0 timeout=5 ProxyPassReverse http://localhost:8084/doveadm/v1 </Location>

Intranet only this might be good enough, TLS with username/password Basic-Authentication passthrough might be used for better security.

Shameless plug: taken from https://gist.github.com/hungerburg/00d582bf1a6bf3c622797bf5e759f75b

-- peter

Hi!

doveadm http api is not intended to be exposed to untrusted network. Never do that. =)

Aki