dovecot - Nov 2013 - proxy_maybe & director incompatibility

Hi Folks,

I spent quite some time yesterday understanding how proxy works along with the
director.  I came to the conclusion that proxy_maybe and director cannot be used
together, but this isn?t a true incompatibility so much as caused by the way
things are handled and the order they are processed in.

The way proxy_maybe works is that it is processed by the auth provider once it
gets the response from the passdb, it checks for proxy_maybe and then checks for
the ?host? parameter and compares it to the local IP (this is always null at
that stage, because director won?t add host until later).  proxy_maybe is
deleted and then if the IPs do not match (i.e. the connection should be proxied)
it sets proxy.

This result is returned from the auth provider and then piped into director,
which adds the relevant ?host? parameter if ?proxy? is set.  The problem here is
that because proxy_maybe is processed before director, it is not possible to
conditionally proxy when using director ? only if host is also returned from
passdb.   The secondary problem is that director only adds host= if proxy is set
(and the auth code generally assumes proxy/proxy_maybe/proxy_always are
exclusive settings) ? this logic would also need to change.  You would also need
some logic to add host only if host doesn?t already exist, to handle situations
where proxies might come from both passdb and/or director.


I am seeking to understand if there is any significant reason proxy_maybe is
handled during the auth section, it would seem better to simply always set
?proxy=yes?, and then optionally have proxy_maybe passed all the way through to
the connection stage and then do the local host check there.


This would solve my use case, and I cannot imagine what else it would break ?
but I am no expert on dovecot or other people?s use cases, so I am hoping for
feedback from others on this and what else would need to be considered or why
this would not work before I spent time trying to implement the change.

Thanks,
Trent Lloyd



w: www.webinabox.net.au

-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 13338 bytes
Desc: not available
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20131127/46c5703d/attachment.jpg>

On Wed, 2013-11-27 at 14:43 +0800, Trent Lloyd wrote:
> I am seeking to understand if there is any significant reason
> proxy_maybe is handled during the auth section, it would seem better
> to simply always set ?proxy=yes?, and then optionally have proxy_maybe
> passed all the way through to the connection stage and then do the
> local host check there.
Set proxy_always=y and it'll work the way you want.

I considered doing the proxy_maybe check in login processes, but there
were some reasons why it wouldn't have worked well. I can't remember why
exactly now, although one issue at least was that then the same check
would have needed to be done also by LMTP proxy and doveadm proxy.