Hello, i have a setup with two director servers pointing to two backends. I don't care that much for load balancing, my main goal is high availability. CRAM-MD5 auth is working fine if I connect directly to the backends, but the director only supports AUTH=PLAIN because of the static passdb. director config:> passdb { > driver = static > args = nopassword=y proxy=y > } > > director_servers = director1 director2 > director_mail_servers = backend1 backend2backend config:> passdb { > driver = vpopmail > args > } > > userdb { > driver = vpopmail > }It seems that the director is only working, if I use the static passdb?! How can I use the director with other passdb drivers than the static one? Greetings, Martin
On Wed, 2010-10-13 at 10:53 +0200, Martin Spuetz wrote:> i have a setup with two director servers pointing to two backends. I > don't care that much for load balancing, my main goal is high availability. > > CRAM-MD5 auth is working fine if I connect directly to the backends, but > the director only supports AUTH=PLAIN because of the static passdb.Yeah. The problem is that with CRAM-MD5 the username can't be known until the authentication is started. But the authentication can't be started until the backend server is known, which of course can't be known until username is known.. So the only way to make CRAM-MD5 work with proxying is to have client authenticate with CRAM-MD5 against the proxy. The proxy then does a separate authentication against the backend server (e.g. using a master proxy password that allows authenticating against anyone). Or if you only care about HA, maybe you shouldn't use director at all and just have active/passive pair of servers.
On Wed, 2010-10-13 at 10:53 +0200, Martin Spuetz wrote:> > backend config: > > passdb { > > driver = vpopmail > > args > > } > > > > userdb { > > driver = vpopmail > > } > > It seems that the director is only working, if I use the static > passdb?! > > How can I use the director with other passdb drivers than the static > one?Oh, and if you want to make director do the authentication directly, you can't currently use passdb vpopmail, because you can't add the proxy=y setting to it. Are your users in SQL? You could use passdb sql directly then.
Possibly Parallel Threads
- TLS communication director -> backend with X.509 cert checks?
- Dualstack IPv4/IPv6 setup with directors
- Dualstack IPv4/IPv6 setup with directors
- doveadm director status username != doveadm director status username@mailserver
- [AUTH] Extra @ in user and empty passwd with CRAM-MD5