dovecot - Sep 2010 - Specify auth service for protocols

Hi all,

I'm building a mail system where two machines are functioning both as
POP3/IMAP-proxy (using dovecot 1.2.12) and SMTP-server with
authentication for outgoing mail. The SMTP-server is postfix with
dovecot SASL as authentication backend. User credentials for SMTP auth
as well as the mapping from account to final server for the proxy is
stored in a MySQL-database which dovecot queries.

As I want the POP3/IMAP-proxy to accept any username and password (as
the final POP3/IMAP server takes care of the authentication) the passdb
SQL query has the statements "NULL AS password, 'Y' AS nopassword,
'Y'
AS proxy" added to the query. 

As these additions cannot be used in the SQL query for the auth service
used by postfix (as users would be able to authenticate with any
password) I have defined a second auth service (auth postfix { ... }) in
dovecot.conf which is slightly different; it returns the password hash
instead of NULL as password and skips the proxy and nopasswd part.

This works fine on one server, but on the other one the auth services
get mixed up and the service defined for postfix (missing password and
proxy stuff) is used by the POP3 and IMAP services and vice versa, which
breaks the proxying. I've been trying my best to find any difference
between the configuration of the two machines, but without result. The
configurations are simply copies of each other.

So, to finally arrive at my question: Is there any way to specify which
authentication service is to be used by each protocol in dovecot.conf?

Or is the solution instead to rewrite the passdb-query to take the
service into account and return 'Y' AS proxy when the service is postfix
and 'N' AS proxy when the service is POP3 or IMAP as I then would be
able to use only one authentication backend?

Sorry for the lengthy post and thank you in advance!

Regards,
Lukas Garberg

On Mon, 2010-09-06 at 16:42 +0200, Lukas Garberg wrote:
> As these additions cannot be used in the SQL query for the auth service
> used by postfix (as users would be able to authenticate with any
> password) I have defined a second auth service (auth postfix { ... }) in
> dovecot.conf which is slightly different; it returns the password hash
> instead of NULL as password and skips the proxy and nopasswd part.
That won't work. It's pretty much random how it'll behave.
> This works fine on one server, but on the other one the auth services
> get mixed up and the service defined for postfix (missing password and
> proxy stuff) is used by the POP3 and IMAP services and vice versa, which
> breaks the proxying. I've been trying my best to find any difference
> between the configuration of the two machines, but without result. The
> configurations are simply copies of each other.
Yeah, it's not even supposed to work the way you want it to work.
> So, to finally arrive at my question: Is there any way to specify which
> authentication service is to be used by each protocol in dovecot.conf?
With v2.0 you can just put the wanted passdbs into protocol imap/smtp {}
sections. With v1.2 you can't do anything like that.
> Or is the solution instead to rewrite the passdb-query to take the
> service into account and return 'Y' AS proxy when the service is
postfix
> and 'N' AS proxy when the service is POP3 or IMAP as I then would
be
> able to use only one authentication backend?
Yes, that's the only working way with v1.2. Perhaps even something like:

select ..proxy.. where '%s' != 'smtp' and ..etc..
union all
select ..auth.. where '%s' = 'smtp' and ..etc..