Jahnke-Zumbusch, Dirk
2011-Jun-01 09:25 UTC
[Dovecot] Dovecot 2 + Director: IMAP+GSSAPI and LMTP-proxying
Hi all, I have a setup of some nodes running Dovecot 2.0.13 and Postfix 2.5.6 with storage in NFS and authentication happening with PAM. Poking around in the wiki, I tried out different possibilities but now I am stuck -- and are hoping for your (enlightening) comments and tips. My planned setup for IMAP and LMTP is like this: IMAP === 1. A loadbalancer directs new sessions to a Dovecot-Director instance; this extra amount of traffic routing is mostly done for automatic handling in case of a failing Director node; this works fine, the same IP will end always on the same backend, but user-based Directory proxying seems more appropriate, especially taking the NFS-setup and the delivery process into account 2. Then the Director decides where to direct the user's session; this works fine when I let the backend servers do the authentication work 3. The backend Dovecot server will happily provide the user's e-mail For now my section for the passdb in the Director instance is passdb { driver = static args = proxy=y nopassword=y } So the backend will do the authentication of the session. But this setup inhibits using Kerberos, as the TGT is not forwarded to the backend server. I would very much like to provide GSSAPI/Kerberos authentication, which already works fine with the backend servers being directly connected by mail clients. The backend servers are using the PAM driver. I could not figure out, how to setup the passdb entry for the director instance to use PAM (this way enabling GSSAPI/Kerberos) and also giving back the necessary "proxy=y" to make director proxying the IMAP session. Is this setup feasible at all? LMTP === 1. Postfix accepts incoming e-mail and decides, which e-mail will go the LMTP-way to be deliverd into a Dovecot mailbox with something like virtual_transport = lmtp:inet:DOVECOT-DIRECTORS-IP:LMTP-PORT-ABC 2. the Dovecot Director instance accepts the LMTP connections and will proxy this to the appropriate==user's current backend server For now Postfix delivers e-mails using LMTP to the _backend_ w/o proxying and everything like SIEVE-filtering works fine: virtual_transport = lmtp:inet:DOVECOT-BACKENDS-IP:LMTP-PORT-XYZ But when I use the Director's IP/Port combination for LMTP, I see an error "554 5.4.6 <the at addr.ess> Proxying loops to itself". Where may I specify the port number of the backend server's LMTP-port? I suspect that the missing port number implies that the receiving LMTP-backend server uses the same port and so this would lead to a loop, hence the loop error?! I browsed the Wiki and the archives but still cannot find the information I am looking for. Any hints on that? Cheers, Dirk And here's the director.conf (via doveconf -n): # 2.0.13: /dovecot/code/etc/dovecot-director/director.conf # OS: SunOS 5.10 sun4v auth_debug = yes auth_verbose = yes base_dir = /var/run/director/ debug_log_path = /var/adm/dovecot-director.debug director_mail_servers = <LOCAL-BACKEND-IP> director_servers = <PUBLIC-DIRECTOR-IP> lmtp_proxy = yes login_greeting = Dovecot Director ready. mail_debug = yes managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date passdb { args = proxy=y nopassword=y driver = static } protocols = imap lmtp service auth-worker { user = root } service auth { client_limit = 6000 unix_listener auth-userdb { mode = 0644 user = vmail } } service director { fifo_listener login/proxy-notify { mode = 0666 } inet_listener { port = 9090 } unix_listener director-userdb { mode = 0600 } unix_listener login/director { mode = 0666 } } service imap-login { executable = imap-login director inet_listener imap { port = 10143 } inet_listener imaps { port = 10993 ssl = yes } process_min_avail = 1 } service imap { process_limit = 1024 } service lmtp { inet_listener lmtp { address = <LOCAL-DIRECTOR-IP> port = 24242 } } ssl_cert = </dovecot/code/dovecot-homedir/dovecot.crt ssl_key = </dovecot/code/dovecot-homedir/dovecot.key syslog_facility = local0 protocol lmtp { auth_socket_path = director-userdb } -- Dirk Jahnke-Zumbusch Deutsches Elektronen-Synchrotron DESY IT Information Fabrics Member of the Helmholtz Association D-22603 Hamburg Notkestrasse 85 / 22607 Hamburg T: +49-40-899.81760 F: +49-40-899.41760 dirk.jahnke-zumbusch at desy.de
Dirk Jahnke-Zumbusch
2011-Jun-01 10:04 UTC
[Dovecot] Dovecot 2 + Director: IMAP+GSSAPI and LMTP-proxying
Hi again, minutes after posting I found something for my LMTP-question:> Where may I specify the port number of the backend server's > LMTP-port? I suspect that the missing port number implies that > the receiving LMTP-backend server uses the same port and so > this would lead to a loop, hence the loop error?!Just add "port=<backends LMTP port number>" in the passdb section like: passdb { args = proxy=y nopassword=y port=25252 driver = static } So I am worrying about the IMAP+GSSAPI part... Cheers, Dirk -- Dirk Jahnke-Zumbusch Deutsches Elektronen-Synchrotron DESY IT Information Fabrics Member of the Helmholtz Association D-22603 Hamburg Notkestrasse 85 / 22607 Hamburg T: +49-40-899.81760 F: +49-40-899.41760 dirk.jahnke-zumbusch at desy.de
Timo Sirainen
2011-Jun-03 12:22 UTC
[Dovecot] Dovecot 2 + Director: IMAP+GSSAPI and LMTP-proxying
On Wed, 2011-06-01 at 11:25 +0200, Jahnke-Zumbusch, Dirk wrote:> For now my section for the passdb in the Director instance is > > passdb { > driver = static > args = proxy=y nopassword=y > } > > So the backend will do the authentication of the session. But this setup > inhibits using Kerberos, as the TGT is not forwarded to the backend > server.Right..> I would very much like to provide GSSAPI/Kerberos authentication, which > already works fine with the backend servers being directly connected by > mail clients. The backend servers are using the PAM driver. > > I could not figure out, how to setup the passdb entry for the director > instance to use PAM (this way enabling GSSAPI/Kerberos) and also giving > back the necessary "proxy=y" to make director proxying the IMAP session.PAM doesn't enable clients to use GSSAPI/Kerberos authentication. The client would still be doing a plaintext user+password authentication. So I don't think using PAM+Kerberos on director is useful for anything. For real Kerberos auth you'd need to use Dovecot's own GSSAPI authentication. But yeah, there's currently no way to return proxy=y from GSSAPI either, because it doesn't use any passdb..