Awesome, thanks for the advice. Using the following now works...
passdb {
driver = static
args = proxy=y password=doesnotmatter
}
Cheers.
On Feb 15 2018, at 2:40 pm, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
> > On 15 February 2018 at 20:22 Travis Dolan <travis.dolan at
gmail.com> wrote:
>
>
> Hello,
>
> I have Director setup to proxy requests to backend servers. This works fine
> when using "standard" username/passwords.
>
> I am not try to enable the use of the Dovecot Master user through Director
> into the backend servers.
>
> a.) username is being sent as masteruser*username
> b.) request hits the proxy and authenticates, and then is passed to the
> backend servers and fails auth.
>
> \- logs from proxy/Director point of view.
>
> auth: Info:
> passwd-file(masteruser,172.31.33.224,master,<z2eYD0Rl6P+sHyHg>):
Master
> user logging in as devteam
>
> imap-login: Info: proxy(devteam): Login failed to backend.servers:143
> (master masteruser): [AUTHENTICATIONFAILED] Authentication failed.:
> user=<devteam>, method=PLAIN, rip=172.31.33.224, lip=192.168.71.20,
> session=<z2eYD0R
> l6P+sHyHg>
>
> \- logs from backend server point of view.
>
> imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs):
> user=<masterusername>, method=PLAIN, rip=192.168.71.20,
lip=192.168.71.99,
> session=<O8QN8kNlloXAqEcU>
>
>
> Proxy/Director Configs (hopefully this is enough)
>
> auth_master_user_separator = *
> passdb {
> driver = passwd-file
> args = /etc/dovecot/conf.d/master-user-password
> master = yes
> pass = yes
> }
>
> passdb {
> driver = static
> args = proxy=y nopassword=y
> }
>
> Please let me know if I can provide any further details.
>
> Thanks in advance.
>
> You could consider using "master password" instead.
>
> This works so that you configure proxy to use pass=some_static_password as
the password forward, and you can then use static passdb in director, as in
>
> passdb {
??driver = static
??args = password=some_static_password ....
}
>
> This way you don't need to setup master user authentication.
>
> Aki
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20180215/58c5dc7b/attachment.html>
It would look as though the changes have now negatively affected a "normal" user from logging in. telnet host 143 a login username password a NO [AUTHENTICATIONFAILED] Authentication failed. telnet host 143 1 login devteam*masteruser at example.com password 1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST- EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE QUOTA] Logged in What do you think? Thanks. On Feb 15 2018, at 3:19 pm, Travis Dolan <travis.dolan at gmail.com> wrote:> Awesome, thanks for the advice. Using the following now works...>> passdb {>> driver = static>> args = proxy=y password=doesnotmatter>> }>> Cheers.>>On Feb 15 2018, at 2:40 pm, Aki Tuomi <aki.tuomi at dovecot.fi> wrote:>>> > On 15 February 2018 at 20:22 Travis Dolan <travis.dolan at gmail.com> wrote: > > > Hello, > > I have Director setup to proxy requests to backend servers. This works fine > when using "standard" username/passwords. > > I am not try to enable the use of the Dovecot Master user through Director > into the backend servers. > > a.) username is being sent as masteruser*username > b.) request hits the proxy and authenticates, and then is passed to the > backend servers and fails auth. > > \- logs from proxy/Director point of view. > > auth: Info: > passwd-file(masteruser,172.31.33.224,master,<z2eYD0Rl6P+sHyHg>): Master > user logging in as devteam > > imap-login: Info: proxy(devteam): Login failed to backend.servers:143 > (master masteruser): [AUTHENTICATIONFAILED] Authentication failed.: > user=<devteam>, method=PLAIN, rip=172.31.33.224, lip=192.168.71.20, > session=<z2eYD0R > l6P+sHyHg> > > \- logs from backend server point of view. > > imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): > user=<masterusername>, method=PLAIN, rip=192.168.71.20, lip=192.168.71.99, > session=<O8QN8kNlloXAqEcU> > > > Proxy/Director Configs (hopefully this is enough) > > auth_master_user_separator = * > passdb { > driver = passwd-file > args = /etc/dovecot/conf.d/master-user-password > master = yes > pass = yes > } > > passdb { > driver = static > args = proxy=y nopassword=y > } > > Please let me know if I can provide any further details. > > Thanks in advance.>>>> You could consider using "master password" instead.>>>> This works so that you configure proxy to use pass=some_static_password asthe password forward, and you can then use static passdb in director, as in>>>> passdb {??driver = static ??args = password=some_static_password .... }>>>> This way you don't need to setup master user authentication.>>>> Aki-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180215/38bc588f/attachment.html>
> On 15 Feb 2018, at 22.16, Travis Dolan <travis.dolan at gmail.com> wrote: > > It would look as though the changes have now negatively affected a "normal" user from logging in. > > > telnet host 143 > > a login username password > > > a NO [AUTHENTICATIONFAILED] Authentication failed. > > > telnet host 143 > > 1 login devteam*masteruser at example.com password > > > 1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE QUOTA] Logged in > > > What do you think? >So your director is the first entry point where the end users connect? in that case your director should have passdb setup that verifies the user password and then switches the session to use master password when forwarding the connection to backend. something like this in director: passdb { driver = passwd-file args = /data/mail.passwd result_success = continue-ok } passdb { driver = static args = pass=masterpassword skip = unauthenticated } and in backend: passdb { driver = static args = password=masterpassword } Sami -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180216/c4b81690/attachment.html>