Filias Heidt
2018-Sep-17 09:54 UTC
Using both starttls and ssl in passdb on proxy results in timeouts
Hi List,
I have a dovecot which proxies to different backends depending on an entry in a
mysql-database. The mysql-query sets ?ssl? to ?any-cert? and this works fine.
But this causes me a problem: sieve-backends only support STARTTLS and if I set
?ssl? to ?any-cert? (or yes), it will attempt a TLS-connection to the
sieve-backends, which fails.
My attempt was to alter the query to include %{real_lport} and return ?ssl=no?
and ?starttls=any-cert? if the port matches the sieve-port. It works as expected
in that it returns the correct values and proxies to the correct backend.
However it seems that TLS is no longer working and I get timeouts from the
backends.
Debug: client passdb out: OK 1 user=someuser at example.com proxy
proxy_nopipelining=y host=backend1.example.com nodelay=y nologin starttls=no
ssl=any-cert hostip=so.me.i.p pass=<hidden>
results in:
Sep 17 11:08:47 imapproxy1 dovecot: imap-login: Error: proxy(someuser at
example.com): Login for so.me.i.p:993 timed out in state=/none (after 30 secs,
local=lo.cal.i.p:60524): user=<someuser at example.com>, method=PLAIN,
rip=re.mo.te.ip, lip=lo.cal.i.p, TLS,
session=<OySXgw12auwgARYIAAYABwAAAAAAAwAU>
My query looks like this:
password_query = SELECT host from proxy_domain, NULL as password, 'y' as
nopassword, 'y' as proxy, NULL as destuser, 'y' as
proxy_nopipelining, 'y' as nodelay, 'y' as nologin,
IF(%{real_lport}=4190, 'any-cert', 'no') as 'starttls',
IF(%{real_lport}<>4190, 'any-cert', 'no') as 'ssl?;
As soon as I remove the starttls-part and the passdb only returns ssl=any-cert
(without starttls=no) it works flawlessly.
Is it possible that I am attacking the problem the wrong way? Or is it not
possible to set both starttls and ssl to some values in passdb and
enable/disable them as needed?
Thanks for any input :)
Cheers,
Filias
Filias Heidt
2018-Sep-18 08:33 UTC
Using both starttls and ssl in passdb on proxy results in timeouts
I tried some more things, such as setting starttls=NULL or ssl=NULL, which does the same as setting it to ?no?. Interestingly, if I set ssl=NULL and don?t set starttls at all, it still tries an SSL connection to the backend. Is there no way to use starttls or ssl depending on a variable? It could also be possible that I have starttls-backends and ssl-backends which would be a similar use-case to my sieve-thing, I think. Cheers, Filias> Am 17.09.2018 um 11:54 schrieb Filias Heidt <fh at netzkommune.com>: > > Hi List, > > I have a dovecot which proxies to different backends depending on an entry in a mysql-database. The mysql-query sets ?ssl? to ?any-cert? and this works fine. But this causes me a problem: sieve-backends only support STARTTLS and if I set ?ssl? to ?any-cert? (or yes), it will attempt a TLS-connection to the sieve-backends, which fails. > > My attempt was to alter the query to include %{real_lport} and return ?ssl=no? and ?starttls=any-cert? if the port matches the sieve-port. It works as expected in that it returns the correct values and proxies to the correct backend. > > However it seems that TLS is no longer working and I get timeouts from the backends. > > Debug: client passdb out: OK 1 user=someuser at example.com proxy proxy_nopipelining=y host=backend1.example.com nodelay=y nologin starttls=no ssl=any-cert hostip=so.me.i.p pass=<hidden> > > results in: > Sep 17 11:08:47 imapproxy1 dovecot: imap-login: Error: proxy(someuser at example.com): Login for so.me.i.p:993 timed out in state=/none (after 30 secs, local=lo.cal.i.p:60524): user=<someuser at example.com>, method=PLAIN, rip=re.mo.te.ip, lip=lo.cal.i.p, TLS, session=<OySXgw12auwgARYIAAYABwAAAAAAAwAU> > > My query looks like this: > password_query = SELECT host from proxy_domain, NULL as password, 'y' as nopassword, 'y' as proxy, NULL as destuser, 'y' as proxy_nopipelining, 'y' as nodelay, 'y' as nologin, IF(%{real_lport}=4190, 'any-cert', 'no') as 'starttls', IF(%{real_lport}<>4190, 'any-cert', 'no') as 'ssl?; > > As soon as I remove the starttls-part and the passdb only returns ssl=any-cert (without starttls=no) it works flawlessly. > > Is it possible that I am attacking the problem the wrong way? Or is it not possible to set both starttls and ssl to some values in passdb and enable/disable them as needed? > > Thanks for any input :) > > Cheers, > Filias
Aki Tuomi
2018-Sep-18 09:20 UTC
Using both starttls and ssl in passdb on proxy results in timeouts
The problem is that due to how it was done some ages ago, the passdb result items are treated so that presence means "use it". If you return 'proxy' it means same as 'proxy=y' or 'proxy=yes'. We are considering on changing this so that it would actually require a k=v type of syntax, but it's going to be a breaking change. Aki On 18.09.2018 11:33, Filias Heidt wrote:> I tried some more things, such as setting starttls=NULL or ssl=NULL, which does the same as setting it to ?no?. Interestingly, if I set ssl=NULL and don?t set starttls at all, it still tries an SSL connection to the backend. > > Is there no way to use starttls or ssl depending on a variable? It could also be possible that I have starttls-backends and ssl-backends which would be a similar use-case to my sieve-thing, I think. > > Cheers, > Filias > >> Am 17.09.2018 um 11:54 schrieb Filias Heidt <fh at netzkommune.com>: >> >> Hi List, >> >> I have a dovecot which proxies to different backends depending on an entry in a mysql-database. The mysql-query sets ?ssl? to ?any-cert? and this works fine. But this causes me a problem: sieve-backends only support STARTTLS and if I set ?ssl? to ?any-cert? (or yes), it will attempt a TLS-connection to the sieve-backends, which fails. >> >> My attempt was to alter the query to include %{real_lport} and return ?ssl=no? and ?starttls=any-cert? if the port matches the sieve-port. It works as expected in that it returns the correct values and proxies to the correct backend. >> >> However it seems that TLS is no longer working and I get timeouts from the backends. >> >> Debug: client passdb out: OK 1 user=someuser at example.com proxy proxy_nopipelining=y host=backend1.example.com nodelay=y nologin starttls=no ssl=any-cert hostip=so.me.i.p pass=<hidden> >> >> results in: >> Sep 17 11:08:47 imapproxy1 dovecot: imap-login: Error: proxy(someuser at example.com): Login for so.me.i.p:993 timed out in state=/none (after 30 secs, local=lo.cal.i.p:60524): user=<someuser at example.com>, method=PLAIN, rip=re.mo.te.ip, lip=lo.cal.i.p, TLS, session=<OySXgw12auwgARYIAAYABwAAAAAAAwAU> >> >> My query looks like this: >> password_query = SELECT host from proxy_domain, NULL as password, 'y' as nopassword, 'y' as proxy, NULL as destuser, 'y' as proxy_nopipelining, 'y' as nodelay, 'y' as nologin, IF(%{real_lport}=4190, 'any-cert', 'no') as 'starttls', IF(%{real_lport}<>4190, 'any-cert', 'no') as 'ssl?; >> >> As soon as I remove the starttls-part and the passdb only returns ssl=any-cert (without starttls=no) it works flawlessly. >> >> Is it possible that I am attacking the problem the wrong way? Or is it not possible to set both starttls and ssl to some values in passdb and enable/disable them as needed? >> >> Thanks for any input :) >> >> Cheers, >> Filias