Hi List, I want to migrate my IMAP-users from an old Courier-IMAP-Server to a new dovecot-Server. The old server supports IMAP without and with TLS. The new one only with TLS. To users should be migrated one by one with changing some client parameters. To leave the servername of the imap server I want to use the dovecot proxy during migration. the proxy uses a sql db to look for the old or new host for every user. So far all works fine. My question is the TLS or noTLS connection from the client to the proxy. How can I make the ssl-parameter user-dependant? clients to the old courier server should work without or with tls through the proxy and clients to the new dovecot server should only work WITH TLS between Client and proxy. (After migration of all clients the proxy should be switched off an all clients connect directly to the dovecot server.) I tried with http://wiki2.dovecot.org/UserDatabase/ExtraFields and returned a field "userdb_ssl" ("required" for host dovecot, "yes" for host courier). But it doesn't work. A migrated user can still login without tls to the proxy and the dovecot backend. Any ideas? Daniel Here is my doveconf -n # 2.1.9: /opt/dovecot/etc/dovecot/dovecot.conf doveconf: Warning: service anvil { client_limit=1000 } is lower than required under max. load (1503) # OS: Linux 2.6.32-279.2.1.el6.x86_64 x86_64 CentOS release 6.3 (Final) auth_mechanisms = plain login default_process_limit = 500 disable_plaintext_auth = no listen = * managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave passdb { args = /opt/dovecot/etc/dovecot/sql.conf driver = sql } protocols = imap pop3 service imap-login { inet_listener imaps { port = 0 } } service pop3-login { inet_listener pop3s { port = 0 } } ssl_cert = </etc/pki/tls/certs/server.crt ssl_key = </etc/pki/tls/private/server.key userdb { driver = prefetch } verbose_proctitle = yes
On 3.9.2012, at 16.32, Daniel Funke wrote:> So far all works fine. My question is the TLS or noTLS connection from the client to the proxy. How can I make the ssl-parameter user-dependant? clients to the old courier server should work without or with tls through the proxy and clients to the new dovecot server should only work WITH TLS between Client and proxy. (After migration of all clients the proxy should be switched off an all clients connect directly to the dovecot server.)You can't. If disable_plaintext_auth=yes or ssl=required, Dovecot fails the login before any passdb or userdb lookup is done.