Evgeny Basov
2013-Feb-19 08:39 UTC
[Dovecot] Dovecot 2.2. proxy_maybe and twice SSL connections
Hello.
1. I have two identically hosts
2. I have set up replication between two hosts
3. I have
'Y' AS proxy_maybe
in password_query.
4. password_query returns one of this one hosts
5. I set this parameters in dovecot config:
disable_plaintext_auth = yes
ssl = yes
auth_mechanisms = plain login
for enforce use encrypted connections by client programs.
When the client connects to host imap2 directly, connection is
encrypted, it is good.
| client | ---- (1) ----> |imap2 (proxy_maybe='y', host = imap2)|
And when the client connects to another host, I have (1) and (2)
connections are encrypted
| client | ---- (1) ----> |imap1 (proxy_maybe='y', host = imap2)|
----
(2) ----> |imap2|
but need only (1).
How do I have desired behavior? Is it possible?
Timo Sirainen
2013-Feb-19 08:54 UTC
[Dovecot] Dovecot 2.2. proxy_maybe and twice SSL connections
On Tue, 2013-02-19 at 12:39 +0400, Evgeny Basov wrote:> Hello. > > 1. I have two identically hosts > 2. I have set up replication between two hosts > 3. I have > > 'Y' AS proxy_maybe > > in password_query. > 4. password_query returns one of this one hostsSo the user typically goes to the same server, but on failures the query could return another host? BTW. I'm hoping that at some point in future it would be enough to just set up two A records to DNS and client would connect automatically to the first one that works.> 5. I set this parameters in dovecot config: > > disable_plaintext_auth = yes > ssl = yes > auth_mechanisms = plain login > > for enforce use encrypted connections by client programs. > > > When the client connects to host imap2 directly, connection is > encrypted, it is good. > > | client | ---- (1) ----> |imap2 (proxy_maybe='y', host = imap2)| > > And when the client connects to another host, I have (1) and (2) > connections are encrypted > > | client | ---- (1) ----> |imap1 (proxy_maybe='y', host = imap2)| ---- > (2) ----> |imap2| > > but need only (1). > > How do I have desired behavior? Is it possible?Set login_trusted_networks so both servers trust each others. SSL isn't required then. Also the client's real IP address gets proxied to logs/etc then.
Evgeny Basov
2013-Feb-19 09:06 UTC
[Dovecot] Dovecot 2.2. proxy_maybe and twice SSL connections
19.02.2013 12:54, Timo Sirainen ?????:> Set login_trusted_networks so both servers trust each others.Oh, it so simple. Big thanks!
Ben Morrow
2013-Feb-19 10:17 UTC
[Dovecot] Dovecot 2.2. proxy_maybe and twice SSL connections
At 12PM +0400 on 19/02/13 you (Evgeny Basov) wrote:> > 5. I set this parameters in dovecot config: > > disable_plaintext_auth = yes > ssl = yes > auth_mechanisms = plain login<snip>> > And when the client connects to another host, I have (1) and (2) > connections are encrypted > > | client | ---- (1) ----> |imap1 (proxy_maybe='y', host = imap2)| ---- > (2) ----> |imap2| > > but need only (1).That's not a good idea. SSL is not very much overhead, and trusting your internal networks to the point of having plaintext passwords going over the wire is not very safe. Ben