dovecot - Jun 2011 - Dovecot 2 + Director: IMAP+GSSAPI and LMTP-proxying

Hi all,


I have a setup of some nodes running Dovecot 2.0.13 and Postfix 2.5.6
with storage in NFS and authentication happening with PAM. 

Poking around in the wiki, I tried out different possibilities but now
I am stuck -- and are hoping for your (enlightening) comments and tips.

My planned setup for IMAP and LMTP is like this:


IMAP
===
1. A loadbalancer directs new sessions to a Dovecot-Director instance;
   this extra amount of traffic routing is mostly done for automatic 
   handling in case of a failing Director node; this works fine, the
   same IP will end always on the same backend, but user-based Directory
   proxying seems more appropriate, especially taking the NFS-setup and
   the delivery process into account

2. Then the  Director decides where to direct the user's session; this 
   works fine when I let the backend servers do the authentication work

3. The backend Dovecot server will happily provide the user's e-mail


For now my section for the passdb in the Director instance is

passdb {
  driver = static
  args = proxy=y nopassword=y
}

So the backend will do the authentication of the session. But this setup
inhibits using Kerberos, as the TGT is not forwarded to the backend
server.

I would very much like to provide GSSAPI/Kerberos authentication, which
already works fine with the backend servers being directly connected by
mail clients. The backend servers are using the PAM driver.

I could not figure out, how to setup the passdb entry for the director
instance to use PAM (this way enabling GSSAPI/Kerberos) and also giving
back the necessary "proxy=y" to make director proxying the IMAP
session.

Is this setup feasible at all?



LMTP
===
1. Postfix accepts incoming e-mail and decides, which e-mail will go
   the LMTP-way to be deliverd into a Dovecot mailbox with something
   like

   virtual_transport = lmtp:inet:DOVECOT-DIRECTORS-IP:LMTP-PORT-ABC

2. the Dovecot Director instance accepts the LMTP connections and
   will proxy this to the appropriate==user's current backend server


For now Postfix delivers e-mails using LMTP to the _backend_ w/o 
proxying and everything like SIEVE-filtering works fine:

virtual_transport = lmtp:inet:DOVECOT-BACKENDS-IP:LMTP-PORT-XYZ


But when I use the Director's IP/Port combination for LMTP, I see
an error "554 5.4.6 <the at addr.ess> Proxying loops to itself".

Where may I specify the port number of the backend server's
LMTP-port? I suspect that the missing port number implies that
the receiving LMTP-backend server uses the same port and so
this would lead to a loop, hence the loop error?!

I browsed the Wiki and the archives but still cannot find the
information I am looking for.


Any hints on that? 


Cheers,
Dirk


And here's the director.conf (via doveconf -n):

# 2.0.13: /dovecot/code/etc/dovecot-director/director.conf
# OS: SunOS 5.10 sun4v
auth_debug = yes
auth_verbose = yes
base_dir = /var/run/director/
debug_log_path = /var/adm/dovecot-director.debug
director_mail_servers = <LOCAL-BACKEND-IP>
director_servers = <PUBLIC-DIRECTOR-IP>
lmtp_proxy = yes
login_greeting = Dovecot Director ready.
mail_debug = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date

passdb {
  args = proxy=y nopassword=y
  driver = static
}

protocols = imap lmtp

service auth-worker {
  user = root
}

service auth {
  client_limit = 6000
  unix_listener auth-userdb {
    mode = 0644
    user = vmail
  }
}

service director {
  fifo_listener login/proxy-notify {
    mode = 0666
  }
  inet_listener {
    port = 9090
  }
  unix_listener director-userdb {
    mode = 0600
  }
  unix_listener login/director {
    mode = 0666
  }
}

service imap-login {
  executable = imap-login director
  inet_listener imap {
    port = 10143
  }
  inet_listener imaps {
    port = 10993
    ssl = yes
  }
  process_min_avail = 1
}

service imap {
  process_limit = 1024
}

service lmtp {
  inet_listener lmtp {
    address = <LOCAL-DIRECTOR-IP>
    port = 24242
  }
}

ssl_cert = </dovecot/code/dovecot-homedir/dovecot.crt
ssl_key = </dovecot/code/dovecot-homedir/dovecot.key

syslog_facility = local0

protocol lmtp {
  auth_socket_path = director-userdb
}




--
Dirk Jahnke-Zumbusch              Deutsches Elektronen-Synchrotron DESY
IT Information Fabrics              Member of the Helmholtz Association
D-22603 Hamburg                        Notkestrasse 85  / 22607 Hamburg
T: +49-40-899.81760   F: +49-40-899.41760  dirk.jahnke-zumbusch at desy.de

Hi again,

minutes after posting I found something for my LMTP-question:
> Where may I specify the port number of the backend server's
> LMTP-port? I suspect that the missing port number implies that
> the receiving LMTP-backend server uses the same port and so
> this would lead to a loop, hence the loop error?!
Just add "port=<backends LMTP port number>" in the passdb
section like:

passdb {
  args = proxy=y nopassword=y port=25252
  driver = static
}

So I am worrying about the IMAP+GSSAPI part...

Cheers,
Dirk

--
Dirk Jahnke-Zumbusch              Deutsches Elektronen-Synchrotron DESY
IT Information Fabrics              Member of the Helmholtz Association
D-22603 Hamburg                        Notkestrasse 85  / 22607 Hamburg
T: +49-40-899.81760   F: +49-40-899.41760  dirk.jahnke-zumbusch at desy.de

On Wed, 2011-06-01 at 11:25 +0200, Jahnke-Zumbusch, Dirk wrote:
> For now my section for the passdb in the Director instance is
> 
> passdb {
>   driver = static
>   args = proxy=y nopassword=y
> }
> 
> So the backend will do the authentication of the session. But this setup
> inhibits using Kerberos, as the TGT is not forwarded to the backend
> server.
Right..
> I would very much like to provide GSSAPI/Kerberos authentication, which
> already works fine with the backend servers being directly connected by
> mail clients. The backend servers are using the PAM driver.
> 
> I could not figure out, how to setup the passdb entry for the director
> instance to use PAM (this way enabling GSSAPI/Kerberos) and also giving
> back the necessary "proxy=y" to make director proxying the IMAP
session.
PAM doesn't enable clients to use GSSAPI/Kerberos authentication. The
client would still be doing a plaintext user+password authentication. So
I don't think using PAM+Kerberos on director is useful for anything.

For real Kerberos auth you'd need to use Dovecot's own GSSAPI
authentication. But yeah, there's currently no way to return proxy=y
from GSSAPI either, because it doesn't use any passdb..