thr3ads.net - dovecot - Doveadm HTTP API and CORS [Dec 2019]

If this information is useful, please help other people find it:
Share via:

Peter Chiochetti

2019-Dec-13 19:28 UTC

Doveadm HTTP API and CORS

While toying around with Doveadmin HTTP api I noticed, there is not much 
hype around it. Let's change that.

Doveadmin REST API so to speak provides a web server. When doing /ajax/ 
requests, modern browsers block that, unless the response comes with a 
specific CORS header.

Here how to work around with a proxy:
> # /etc/dovecot/local.conf
> 	doveadm_allowed_commands = fetch
> 	doveadm_api_key = secret
> 	service doveadm {
> 		inet_listener http {
> 			port = 8084
> 		}
> 	}
> # secret64 = echo -n secret | base64
> # /etc/apache/.../some-site.conf
> 	ProxyVia Block
> 	<Location /doveadm/v1>
> 		RequestHeader set Authorization "X-Dovecot-API secret64"
> 		ProxyPass http://localhost:8084/doveadm/v1 retry=0 timeout=5
> 		ProxyPassReverse http://localhost:8084/doveadm/v1
> 	</Location>
Intranet only this might be good enough, TLS with username/password 
Basic-Authentication passthrough might be used for better security.

Shameless plug: taken from 
https://gist.github.com/hungerburg/00d582bf1a6bf3c622797bf5e759f75b

-- 
peter

Aki Tuomi

2019-Dec-13 19:32 UTC

head link

Doveadm HTTP API and CORS

> On 13/12/2019 21:28 Peter Chiochetti <pch at myzel.net> wrote:
> 
>  
> While toying around with Doveadmin HTTP api I noticed, there is not much 
> hype around it. Let's change that.
> 
> Doveadmin REST API so to speak provides a web server. When doing /ajax/ 
> requests, modern browsers block that, unless the response comes with a 
> specific CORS header.
> 
> Here how to work around with a proxy:
> 
> > # /etc/dovecot/local.conf
> > 	doveadm_allowed_commands = fetch
> > 	doveadm_api_key = secret
> > 	service doveadm {
> > 		inet_listener http {
> > 			port = 8084
> > 		}
> > 	}
> > # secret64 = echo -n secret | base64
> > # /etc/apache/.../some-site.conf
> > 	ProxyVia Block
> > 	<Location /doveadm/v1>
> > 		RequestHeader set Authorization "X-Dovecot-API secret64"
> > 		ProxyPass http://localhost:8084/doveadm/v1 retry=0 timeout=5
> > 		ProxyPassReverse http://localhost:8084/doveadm/v1
> > 	</Location>
> 
> Intranet only this might be good enough, TLS with username/password 
> Basic-Authentication passthrough might be used for better security.
> 
> Shameless plug: taken from 
> https://gist.github.com/hungerburg/00d582bf1a6bf3c622797bf5e759f75b
> 
> -- 
> peter
Hi!

doveadm http api is not intended to be exposed to untrusted network. Never do
that. =)

Aki

Apparently Analagous Threads

Search for more seemingly similar threads

dovecot - Dec 2019 - Doveadm HTTP API and CORS

Doveadm HTTP API and CORS

Doveadm HTTP API and CORS

Apparently Analagous Threads