I just committed a couple of features that will make life easier for some types of proxying setups: 1. IMAP proxying has already for a while supported sending local/remote IP/port to backend server, which can use it for logging and other purposes. I've now implemented this for POP3 as well, although only the remote IP/port is forwarded, not local IP/port. I implemented this also for LMTP in v2.2 tree, but haven't bothered to backport that change. Both POP3 and LMTP uses XCLIENT command that is compatible to Postfix's (XCLIENT ADDR=1.2.3.4 PORT=110). 2. proxy_maybe=yes + host=host.example.com actually works now. As long as host.example.com DNS lookup returns one IP that belongs to the current server the proxying is skipped. 3. auth_proxy_self = 1.2.3.4 setting means that if proxy_maybe=yes and host=1.2.3.4 then Dovecot assumes that this is a local login and won't proxy it, even if 1.2.3.4 isn't the actual local IP. This can be helpful if the host field contains load balancer's IP address instead of the server's. You can add more than one IP (space separated) and of course everything related to this works just as well with hostnames as with IPs (even when hostname expands to multiple IPs).
On 25.2.2012, at 5.54, Timo Sirainen wrote:> I just committed a couple of features that will make life easier for some types of proxying setups:Oh, and: 4. Added proxy_always=y passdb field. When used with proxy_maybe=y you can create a setup where the connections are proxied to either * when user's host matches locally, director assigns a local backend's host for the connection * when user's host doesn't match locally, Dovecot connects to that host So basically you can have a bunch of Dovecot cluster installations behind different load balancer IPs, and have all of the Dovecot proxies redirect the connection to the proper cluster's load balancer, or if it's for a local cluster then redirect to one of the backends. 5. Currently in v2.2 only, could be backported if needed: Added TTL for the proxy connections, so in case two clusters both think the other one should be handling the connection they won't end up creating thousands of connections to each others until finally failing when login process limits are reached. The hard coded TTL is 5, should be more than enough.