Situation: one front-facing server running Dovecot as IMAP/POP3/ ManageSieve proxy, a mixture of IMAP servers (Dovecot, Exchange, ...) in the back-end. Dovecot's passdb does lookups against MySQL which contains a simple user/host mapping, the actual authentication happens on the back-end IMAP servers. The configuration is more or less as described here: http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy Now I would like to add a Postfix instance on the front-facing server which listens on the submission port and authenticates users via SASL using the local Dovecot's UNIX socket. The idea being that a user only needs to remember one single hostname, one username and one password for all mail-related services. The problem is that Dovecot is operating in proxy mode, which means that the password_query returns NULL as the password and explicitly returns a field "nopasswd" containing "Y". Thus, users can not authenticate against the UNIX socket. What I think I want to do is convince Dovecot to use one passdb for the imap/pop3/managesieve services and different one for the "auth" service. The configuration snippet below doesn't work, but it should illustrate what I want to achieve:> protocols = imap pop3 sieve > > service auth { > passdb sql { > driver = sql > args = /etc/dovecot/mysql-auth-sasl.conf.ext > } > > unix_listener /var/spool/postfix/private/auth { > user = postfix > group = postfix > mode = 0666 > } > } > > # IMAP/POP3/ManageSieve auth against MySQL > passdb sql { > driver = sql > args = /etc/dovecot/mysql-auth-default.conf.ext > }Example mysql-auth-sasl.conf.ext> driver = mysql > connect = host=127.0.0.1 dbname=mail user=mail password=somethingrandom > password_query = SELECT password AS password FROM users WHERE login = '%u'Example mysql-auth-default.conf.ext:> driver = mysql > connect = host=127.0.0.1 dbname=mail user=mail password=somethingrandom > password_query = SELECT NULL AS password, 'Y' as nopassword, host, 'Y' AS proxy FROM users WHERE login = '%u'Any pointers? Gerry
I'm not sure if this would work, but possibly having two separate instances of dovecot with separate configs running may work for you. http://wiki2.dovecot.org/RunningDovecot On 08/07/15 11:04, Gerry wrote:> Situation: one front-facing server running Dovecot as IMAP/POP3/ > ManageSieve proxy, a mixture of IMAP servers (Dovecot, Exchange, ...) > in the back-end. Dovecot's passdb does lookups against MySQL which > contains a simple user/host mapping, the actual authentication happens > on the back-end IMAP servers. The configuration is more or less as > described here: http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy > > Now I would like to add a Postfix instance on the front-facing server > which listens on the submission port and authenticates users via SASL > using the local Dovecot's UNIX socket. The idea being that a user only > needs to remember one single hostname, one username and one password > for all mail-related services. > > The problem is that Dovecot is operating in proxy mode, which means > that the password_query returns NULL as the password and explicitly > returns a field "nopasswd" containing "Y". Thus, users can not > authenticate against the UNIX socket. > > What I think I want to do is convince Dovecot to use one passdb for the > imap/pop3/managesieve services and different one for the "auth" service. > > The configuration snippet below doesn't work, but it should illustrate > what I want to achieve: > >> protocols = imap pop3 sieve >> >> service auth { >> passdb sql { >> driver = sql >> args = /etc/dovecot/mysql-auth-sasl.conf.ext >> } >> >> unix_listener /var/spool/postfix/private/auth { >> user = postfix >> group = postfix >> mode = 0666 >> } >> } >> >> # IMAP/POP3/ManageSieve auth against MySQL >> passdb sql { >> driver = sql >> args = /etc/dovecot/mysql-auth-default.conf.ext >> } > Example mysql-auth-sasl.conf.ext > >> driver = mysql >> connect = host=127.0.0.1 dbname=mail user=mail password=somethingrandom >> password_query = SELECT password AS password FROM users WHERE login = '%u' > Example mysql-auth-default.conf.ext: > >> driver = mysql >> connect = host=127.0.0.1 dbname=mail user=mail password=somethingrandom >> password_query = SELECT NULL AS password, 'Y' as nopassword, host, 'Y' AS proxy FROM users WHERE login = '%u' > Any pointers? > > Gerry
On 08/08/2015 05:57 AM, Edgar Pettijohn wrote:> I'm not sure if this would work, but possibly having two separate > instances of dovecot with separate configs running may work for you. > > http://wiki2.dovecot.org/RunningDovecotHi Edgar, Thank you for your suggestion. Yes, that would probably work, but it would be rather fiddly to run two Dovecot instances. I was hoping to be able to do it with just one instance. Gerry
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 7 Aug 2015, Gerry wrote:> The problem is that Dovecot is operating in proxy mode, which means > that the password_query returns NULL as the password and explicitly > returns a field "nopasswd" containing "Y". Thus, users can not > authenticate against the UNIX socket.> What I think I want to do is convince Dovecot to use one passdb for the > imap/pop3/managesieve services and different one for the "auth" service.As far as I know, all services use the "auth" in the back. But you have the "%s" / service variable. You should be able to craft a SQL query, that returns NULL & nopasswd=Y, if postfix is not querying Dovecot. I don't know, which service name postfix passes to Dovecot, though, - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBVchZsHz1H7kL/d9rAQIaLwf/WXnI9PMGuN042g7VzfDlZxbsVTvck55X DqPdy1P+YDtMCFpEbTxQG8m9EMfI82Zcd3rzqGbcaMbFqatG7TsucBg06S5j7XSX fs/jNX6DwAdmNIRzjrEU5a8M+Zpo6ifWohBO1IMax3sAs4Z9v+O/hEjX1wiKed24 nFA1QNFG/s2bjDUbf7WBYnU0MnFPeUmMJzy5sR+zFC9lWbaj+Y9b6ayMbdlhVvcz 8qu827/i+2McHlDiS3a2JmwuYTyGpPwfryIojjgTnYvxB1Ex4qsI/mfk8s2am6hY SIvi0Btdlb/ZUmxMy8WKj/hko4Mb+nxO6FBpMU8V8opTJHHUuLf0UA==1Wip -----END PGP SIGNATURE-----
On 08/10/2015 09:58 AM, Steffen Kaiser wrote:> As far as I know, all services use the "auth" in the back. > > But you have the "%s" / service variable. You should be able to craft a > SQL query, that returns NULL & nopasswd=Y, if postfix is not querying > Dovecot. > > I don't know, which service name postfix passes to Dovecot, though,Hmm, that's an interesting idea. I'll explore it further. Thanks! Gerry
Reasonably Related Threads
- Using a separate passdb per service
- Using a separate passdb per service
- Dovecot 2.2.27 proxy - enforcing per client IP connection limits
- Dovecot 2.2.27 proxy - enforcing per client IP connection limits
- virtual mailbox users users can send, but can't read e-mail