> btw, what is the reasong for NGINX proxy anyway? Since dovecot proxy can do
this for you too.
I want to do authentication using the IP that the IMAP client used to connect to
the IMAP server. That is, I have 50 IPs, one for each state my users live in, so
the users can only connect to the IMAP server using the domain name where their
account is hosted (e.g., va.example.com <http://va.example.com/> for
accounts in Virginia or ca.example.com <http://ca.example.com/> for
accounts in California). I figured it was fairly simple to have NGINX listen on
the different IPs for the different IMAP servers and do the authentication based
on the server IP that was used by the IMAP client and then route the request to
the proper Dovecot backend.
I actually plan on using HAProxy to listen on each of the IPs and then proxy to
an NGINX mail proxy listening on different ports (one for each proxied IP).
NGINX would then have mail server sections for each port that invokes a PHP
script passing in the domain name associated with the port (e.g., va.example.com
<http://va.example.com/>). The PHP script would then use this domain name
along with the user/password supplied by the mail client to do the auth check
and backend dovecot server selection.
The only problem I see with using HAProxy and NGINX mail proxy is I think I will
lose the client IP so the Dovecot logs won?t show this IP.
Can I use Dovecot Proxy to do the same thing? Will it use 50 threads to listen
on the different IPs/ports or will it only have a small set of workers to do the
proxying (like NGINX)?
Basically, I couldn?t figure out how to use Dovecot Proxy to do authentication
based on the incoming IP/port or I would use it as the Dovecot Proxy will
preserve the client IPs in the logs.
Even though I?m starting with 50 IPs for state-based mail servers without having
to run 50 Dovecot servers, I will eventually have over 100 region-based IPs so I
need the mail server to scale easily starting with only 1 or 2 backend mail
servers and scaling gradually to many hundreds of servers.
Any thoughts on how to do this with Dovecot Proxy?
Kevin
> On Jun 3, 2016, at 4:27 AM, Sami Ketola <sami.ketola at dovecot.fi>
wrote:
>
>>
>> On 02 Jun 2016, at 23:07, KT Walrus <kevin at my.walr.us> wrote:
>>
>> I?m trying to understand how the nginx mail proxy and dovecot work.
>>
>> As a I understand it, nginx can listen on a IP:port for IMAP
connections. NGINX then can invoke a PHP script to do authorization and backend
server selection.
>>
>> Does NGINX than proxy to the backend dovecot IMAP server all subsequent
IMAP commands that the user?s mail client requests?
>>
>> Does the backend dovecot IMAP server do its own authentication with
another MySQL password lookup? Or, since NGINX has done the authentication, the
password_query lookup is skipped on the dovecot server? I assume the dovecot
IMAP server still needs to do a MySQL user_query lookup (to find the location of
the user?s mailbox on the server), but I am wondering whether the password will
be checked twice, once by NGINX and a second time by dovecot IMAP.
>
> Hi,
>
> you can always skip password check on dovecot side with static passdb that
accepts all passwords if you are absolutely sure that the session has been
authenticated earlier. Also you could switch the session from using user
password to using a master password at the proxy if NGINX supports this.
>
> btw, what is the reasong for NGINX proxy anyway? Since dovecot proxy can do
this for you too.
>
> Sami