Volker Scheuber
2011-Jul-16 19:46 UTC
[Dovecot] dovecot 2.0.13 using LDAP and proxying IMAP4 and POP3 to gmail
Fellow dovecot users/contributors, I am building a POP3/IMAP4 proxy solution for an enterprise, where users can login with their common username and then they get single sign-on to all kinds of different applications in the backend. Some of these applications are SaaS apps like gmail. For gmail in particular, I want dovecot to solve the following issues for me: 1. be an IMAP4/POP3 proxy in the enterprise, proxying client requests to mail.com. 2. change both username and password from what's coming in from the client to what's being proxied out to gmail. 3. use LDAP for authentication As a prototype, I implemented #1 and #2 using passwd-files and after a few hours of try and error, I got it to work and was able to login with "username" and "password" and was proxied through to gmail with "username at gmail.com" and "gmailpassword". Totally awesome. Now I am stuck porting my working prototype from my laptop and passwd-files to my real lab environment and LDAP. I was able to get the authentication to work but that's about it. I can't get dovecot to do the proxying. I searched the mailing list archives and saw other people having similar issues, but that was almost 4 years ago... The most promising thread similar to my requirements and issues was this one: http://www.dovecot.org/list/dovecot/2007-September/025740.html but it was never fully answered nor did the suggestion given to that thread help me with my issue (but I did follow them). Here is my current configuration: dovecot -n # 2.0.13: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 2.6.32.36-0.5-default x86_64 SUSE Linux Enterprise Server 11 (x86_64) auth_debug = yes auth_debug_passwords = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no mail_location = mbox:~/mail:INBOX=/var/mail/%n passdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext driver = ldap master = yes pass = yes } passdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext driver = ldap } ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem userdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext driver = ldap } My ldap configuration is: cat /usr/local/etc/dovecot/dovecot-ldap.conf.ext |grep -v ^##* |grep . hosts = 127.0.0.1:389 dn = cn=user,ou=users,o=config dnpass = password auth_bind = yes auth_bind_userdn = cn=%n,ou=users,o=data ldap_version = 3 base = ou=users,o=data deref = never scope = subtree user_attrs = =home=/var/mail,uidNumber=uid,gidNumber=gid user_filter = (&(objectClass=posixAccount)(uid=%n)) pass_attrs = mail=user,userPassword=password,uid=proxy,=ssl=any-cert,city=host,description=pass,cn=nologin pass_filter = (&(objectClass=posixAccount)(uid=%n)) iterate_filter = (objectClass=posixAccount) default_pass_scheme = CRYPT When connecting to dovecot through an IMAP client (evolution in my case) the dovecot log shows: Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: auth client connected (pid=26601) Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: client in: AUTH1PLAINservice=imapsecuredlip=137.65.156.25rip=164.99.195.4lport=993rport=49203resp=AGFhYmVsbABOMHYzbGwxMjM0NTY= Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: client out: OK1user=aabell Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: master in: REQUEST3762290689266011e9ff0815dea78591a5437731034c14aa Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: ldap(aabell,164.99.195.4): user search: base=ou=users,o=data scope=subtree filter=(&(objectClass=posixAccount)(uid=aabell)) fields=uidNumber,gidNumber Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: ldap(aabell,164.99.195.4): result: gidNumber(gid)=1001 uidNumber(uid)=1001 Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: master out: USER3762290689aabellgid=1001uid=1001home=/var/mail Jul 16 13:32:17 linux-1hen dovecot: imap-login: Login: user=<aabell>, method=PLAIN, rip=164.99.195.4, lip=137.65.156.25, mpid=26604, TLS It doesn't even seem to be recognizing the extra fields I defined in pass_attrs. So I changed my ldap configuration to: cat /usr/local/etc/dovecot/dovecot-ldap.conf.ext |grep -v ^##* |grep . hosts = 127.0.0.1:389 dn = cn=supervisor,ou=sa,o=system dnpass = n0v3ll123 auth_bind = yes auth_bind_userdn = cn=%n,ou=users,o=data ldap_version = 3 base = ou=users,o=data deref = never scope = subtree user_attrs = mail=user,=home=/var/mail,uidNumber=uid,gidNumber=gid,=proxy=y,=ssl=any-cert,=host=209.85.225.109,description=pass,=nologin=y user_filter = (&(objectClass=posixAccount)(uid=%n)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=posixAccount)(uid=%n)) iterate_filter = (objectClass=posixAccount) default_pass_scheme = CRYPT This time things looked much better, but still not good enough: Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: auth client connected (pid=26787) Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: client in: AUTH1PLAINservice=imapsecuredlip=137.65.156.25rip=164.99.195.4lport=993rport=57079resp=AGFhYmVsbABOMHYzbGwxMjM0NTY= Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: client out: OK1user=aabell Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: master in: REQUEST159789875326787162fbc34468ae7853209715c05e11ad14 Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: ldap(aabell,164.99.195.4): user search: base=ou=users,o=data scope=subtree filter=(&(objectClass=posixAccount)(uid=aabell)) fields=mail,uidNumber,gidNumber,description Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: auth(aabell,164.99.195.4): username changed aabell -> vscheuber at gmail.com Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: ldap(vscheuber at gmail.com,164.99.195.4): result: description(pass)=gmailpassword gidNumber(gid)=1001 uidNumber(uid)=1001 mail(user)=vscheuber at gmail.com Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: master out: USER1597898753vscheuber at gmail.compass=gmailpasswordgid=1001uid=1001home=/var/mailproxy=yssl=any-certhost=209.85.225.109nologin=y Jul 16 13:36:12 linux-1hen dovecot: imap-login: Login: user=<aabell>, method=PLAIN, rip=164.99.195.4, lip=137.65.156.25, mpid=26790, TLS I thought I'd also post here the log of my working prototype configuration with passwd-files. I would expect the ldap output to look similar in some key areas like proxying, but it doesn't: Jul 15 15:04:25 vscdevws dovecot: auth: Debug: client in: AUTH1PLAINservice=imapsecuredlip=::1rip=::1lport=143rport=36444resp=AHZzY2hldWJlcgBwYXNzd29yZA== Jul 15 15:04:25 vscdevws dovecot: auth: Debug: passwd-file(vscheuber,::1): lookup: user=vscheuber file=/etc/dovecot/users Jul 15 15:04:25 vscdevws dovecot: auth: Debug: auth(vscheuber,::1): username changed vscheuber -> vscheuber at gmail.com Jul 15 15:04:25 vscdevws dovecot: auth: Debug: client out: OK1user=vscheuber at gmail.comproxyhost=209.85.225.109port=993ssl=any-certpass=gmailpassword Jul 15 15:04:26 vscdevws dovecot: imap-login: proxy(vscheuber at gmail.com): started proxying to 209.85.225.109:993: user=<vscheuber at gmail.com>, method=PLAIN, rip=::1, lip=::1, secured If you read to this point, I say "thank you!" just for that. Please advise where my misconfiguration could be. Thank you very much, I appreciate your time and help! Volker
Volker Scheuber
2011-Jul-18 01:18 UTC
[Dovecot] SOLVED dovecot 2.0.13 using LDAP and proxying IMAP4 and POP3 to gmail
Hi, I have found the solution to my issues in an old thread: http://dovecot.markmail.org/search/?q=proxy%20ldap#query:proxy%20ldap+page:1+mid:4b4t3r5r5htos5b5+state:results>>auth_bind = yes >>auth_bind_userdn = uid=%u,ou=People,dc=unisa,dc=it >If you have both of these enabled, Dovecot completely ignores pass_attrs. So if you want auth binds, you need to disable auth_bind_userdn setting.I indeed had both options enabled and thus my pass_attrs did not take effect. Once I removed auth_bind_userdn, the proxying worked as in my passwd-files configuration. Cheers. Volker>>> "Volker Scheuber" <vscheuber at novell.com> 7/16/2011 1:46 PM >>>Fellow dovecot users/contributors, I am building a POP3/IMAP4 proxy solution for an enterprise, where users can login with their common username and then they get single sign-on to all kinds of different applications in the backend. Some of these applications are SaaS apps like gmail. For gmail in particular, I want dovecot to solve the following issues for me: 1. be an IMAP4/POP3 proxy in the enterprise, proxying client requests to mail.com. 2. change both username and password from what's coming in from the client to what's being proxied out to gmail. 3. use LDAP for authentication As a prototype, I implemented #1 and #2 using passwd-files and after a few hours of try and error, I got it to work and was able to login with "username" and "password" and was proxied through to gmail with "username at gmail.com" and "gmailpassword". Totally awesome. Now I am stuck porting my working prototype from my laptop and passwd-files to my real lab environment and LDAP. I was able to get the authentication to work but that's about it. I can't get dovecot to do the proxying. I searched the mailing list archives and saw other people having similar issues, but that was almost 4 years ago... The most promising thread similar to my requirements and issues was this one: http://www.dovecot.org/list/dovecot/2007-September/025740.html but it was never fully answered nor did the suggestion given to that thread help me with my issue (but I did follow them). Here is my current configuration: dovecot -n # 2.0.13: /usr/local/etc/dovecot/dovecot.conf # OS: Linux 2.6.32.36-0.5-default x86_64 SUSE Linux Enterprise Server 11 (x86_64) auth_debug = yes auth_debug_passwords = yes auth_verbose = yes auth_verbose_passwords = plain disable_plaintext_auth = no mail_location = mbox:~/mail:INBOX=/var/mail/%n passdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext driver = ldap master = yes pass = yes } passdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext driver = ldap } ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem userdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext driver = ldap } My ldap configuration is: cat /usr/local/etc/dovecot/dovecot-ldap.conf.ext |grep -v ^##* |grep . hosts = 127.0.0.1:389 dn = cn=user,ou=users,o=config dnpass = password auth_bind = yes auth_bind_userdn = cn=%n,ou=users,o=data ldap_version = 3 base = ou=users,o=data deref = never scope = subtree user_attrs = =home=/var/mail,uidNumber=uid,gidNumber=gid user_filter = (&(objectClass=posixAccount)(uid=%n)) pass_attrs = mail=user,userPassword=password,uid=proxy,=ssl=any-cert,city=host,description=pass,cn=nologin pass_filter = (&(objectClass=posixAccount)(uid=%n)) iterate_filter = (objectClass=posixAccount) default_pass_scheme = CRYPT When connecting to dovecot through an IMAP client (evolution in my case) the dovecot log shows: Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: auth client connected (pid=26601) Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: client in: AUTH1PLAINservice=imapsecuredlip=137.65.156.25rip=164.99.195.4lport=993rport=49203resp=AGFhYmVsbABOMHYzbGwxMjM0NTYJul 16 13:32:17 linux-1hen dovecot: auth: Debug: client out: OK1user=aabell Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: master in: REQUEST3762290689266011e9ff0815dea78591a5437731034c14aa Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: ldap(aabell,164.99.195.4): user search: base=ou=users,o=data scope=subtree filter=(&(objectClass=posixAccount)(uid=aabell)) fields=uidNumber,gidNumber Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: ldap(aabell,164.99.195.4): result: gidNumber(gid)=1001 uidNumber(uid)=1001 Jul 16 13:32:17 linux-1hen dovecot: auth: Debug: master out: USER3762290689aabellgid=1001uid=1001home=/var/mail Jul 16 13:32:17 linux-1hen dovecot: imap-login: Login: user=<aabell>, method=PLAIN, rip=164.99.195.4, lip=137.65.156.25, mpid=26604, TLS It doesn't even seem to be recognizing the extra fields I defined in pass_attrs. So I changed my ldap configuration to: cat /usr/local/etc/dovecot/dovecot-ldap.conf.ext |grep -v ^##* |grep . hosts = 127.0.0.1:389 dn = cn=supervisor,ou=sa,o=system dnpass = n0v3ll123 auth_bind = yes auth_bind_userdn = cn=%n,ou=users,o=data ldap_version = 3 base = ou=users,o=data deref = never scope = subtree user_attrs = mail=user,=home=/var/mail,uidNumber=uid,gidNumber=gid,=proxy=y,=ssl=any-cert,=host=209.85.225.109,description=pass,=nologin=y user_filter = (&(objectClass=posixAccount)(uid=%n)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=posixAccount)(uid=%n)) iterate_filter = (objectClass=posixAccount) default_pass_scheme = CRYPT This time things looked much better, but still not good enough: Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: auth client connected (pid=26787) Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: client in: AUTH1PLAINservice=imapsecuredlip=137.65.156.25rip=164.99.195.4lport=993rport=57079resp=AGFhYmVsbABOMHYzbGwxMjM0NTYJul 16 13:36:12 linux-1hen dovecot: auth: Debug: client out: OK1user=aabell Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: master in: REQUEST159789875326787162fbc34468ae7853209715c05e11ad14 Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: ldap(aabell,164.99.195.4): user search: base=ou=users,o=data scope=subtree filter=(&(objectClass=posixAccount)(uid=aabell)) fields=mail,uidNumber,gidNumber,description Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: auth(aabell,164.99.195.4): username changed aabell -> vscheuber at gmail.com Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: ldap(vscheuber at gmail.com,164.99.195.4): result: description(pass)=gmailpassword gidNumber(gid)=1001 uidNumber(uid)=1001 mail(user)=vscheuber at gmail.com Jul 16 13:36:12 linux-1hen dovecot: auth: Debug: master out: USER1597898753vscheuber at gmail.compass=gmailpasswordgid=1001uid=1001home=/var/mailproxy=yssl=any-certhost=209.85.225.109nologin=y Jul 16 13:36:12 linux-1hen dovecot: imap-login: Login: user=<aabell>, method=PLAIN, rip=164.99.195.4, lip=137.65.156.25, mpid=26790, TLS I thought I'd also post here the log of my working prototype configuration with passwd-files. I would expect the ldap output to look similar in some key areas like proxying, but it doesn't: Jul 15 15:04:25 vscdevws dovecot: auth: Debug: client in: AUTH1PLAINservice=imapsecuredlip=::1rip=::1lport=143rport=36444resp=AHZzY2hldWJlcgBwYXNzd29yZA=Jul 15 15:04:25 vscdevws dovecot: auth: Debug: passwd-file(vscheuber,::1): lookup: user=vscheuber file=/etc/dovecot/users Jul 15 15:04:25 vscdevws dovecot: auth: Debug: auth(vscheuber,::1): username changed vscheuber -> vscheuber at gmail.com Jul 15 15:04:25 vscdevws dovecot: auth: Debug: client out: OK1user=vscheuber at gmail.comproxyhost=209.85.225.109port=993ssl=any-certpass=gmailpassword Jul 15 15:04:26 vscdevws dovecot: imap-login: proxy(vscheuber at gmail.com): started proxying to 209.85.225.109:993: user=<vscheuber at gmail.com>, method=PLAIN, rip=::1, lip=::1, secured If you read to this point, I say "thank you!" just for that. Please advise where my misconfiguration could be. Thank you very much, I appreciate your time and help! Volker