Hi! I have a few questions regarding Dovecot proxy: 1. 1.1 If I understand correctly, setting 'nopassword' in the proxy passdb file, authentication is completely up to the destination host. Setting 'nopassword' in no way means the proxy becomes an open relay. Is this correct? 1.2 Are there any security implications when using 'nopassword' on the proxy? 2. 2.1 I would like to avoid having to store all users in a passdb file on the proxy. I would much rather specify a domain for which Dovecot proxy will route all users to a specific host. Is there a way to let Dovecot proxy route to a destination host based on domain, so individual users don't have to be specified in the proxy passdb? 2.2 Is it correct that userdb does not have any effect on proxying and it can be left out of the config? Source: https://dovecot.org/pipermail/dovecot/2013-October/093138.html (point 2) Met vriendelijke groeten, William Edwards T. 040 - 711 44 96 E. wedwards at cyberfusion.nl ? -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20191227/26f1f284/attachment-0001.html>
<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 27/12/2019 16:02 William Edwards <wedwards@cyberfusion.nl> wrote: </div> <div> <br> </div> <div> <br> </div> <div style="font-size: 13px;" dir="auto" class="iw_mail"> <div> Hi! </div> <div> <br> </div> <div> I have a few questions regarding Dovecot proxy: </div> <div> <br> </div> <div> 1. </div> <div> 1.1 If I understand correctly, setting 'nopassword' in the proxy passdb file, authentication is completely up to the destination host. Setting 'nopassword' in no way means the proxy becomes an open relay. Is this correct? </div> </div> </blockquote> <div> <br> </div> <div> You still control where it proxies to. </div> <blockquote type="cite"> <div style="font-size: 13px;" dir="auto" class="iw_mail"> <div> 1.2 Are there any security implications when using 'nopassword' on the proxy? </div> <div></div> </div> </blockquote> <div> <br> </div> <div> As long as its really a proxy, probably no. </div> <blockquote type="cite"> <div style="font-size: 13px;" dir="auto" class="iw_mail"> <div> 2. </div> <div> 2.1 I would like to avoid having to store all users in a passdb file on the proxy. I would much rather specify a domain for which Dovecot proxy will route all users to a specific host. Is there a way to let Dovecot proxy route to a destination host based on domain, so individual users don't have to be specified in the proxy passdb? </div> <div> 2.2 Is it correct that userdb does not have any effect on proxying and it can be left out of the config? Source: https://dovecot.org/pipermail/dovecot/2013-October/093138.html (point 2) </div> </div> </blockquote> <div> userdb is ignored on proxies. For your usecase try following </div> <div> <br> </div> <div> passdb { </div> <div> driver = passwd-file </div> <div> args = username_format=%Ld /etc/dovecot/domains.passwd </div> <div> } </div> <div> <br> </div> <div> and into domains.passwd </div> <div> <br> </div> <div> domain.com::::::: nopassword proxy host=host1 </div> <div> <br> </div> <div> colon count might be wrong </div> <blockquote type="cite"> <div style="font-size: 13px;" dir="auto" class="iw_mail"> <div class="iw-signature"> <div></div> <div> Met vriendelijke groeten, </div> <div> <br> </div> <div> William Edwards </div>T. 040 - 711 44 96 <div> E. wedwards@cyberfusion.nl </div> </div> </div> </blockquote> <div class="io-ox-signature"> <pre>--- Aki Tuomi</pre> </div> </body> </html>
Hi Aki,> 1.1 If I understand correctly, setting 'nopassword' in the proxy passdb file, authentication is completely up to the destination host. Setting 'nopassword' in no way means the proxy becomes an open relay. Is this correct? > You still control where it proxies to. > 1.2 Are there any security implications when using 'nopassword' on the proxy? > As long as its really a proxy, probably no.Ok, so assuming proper authentication is configured on the destination host, the answer to 1.1 is 'yes' and the answer to 1.2 is 'no'.> userdb is ignored on proxies. For your usecase try following > and into domains.passwdAh, yes, of course. I forgot Dovecot supports multiple passdb backends. I have added the domains.passwd backend as a fallback. Thanks! Met vriendelijke groeten, William Edwards T. 040 - 711 44 96 E. wedwards at cyberfusion.nl ? ----- Original Message ----- From: Aki Tuomi (aki.tuomi at open-xchange.com) Date: 12/27/19 17:42 To: William Edwards (wedwards at cyberfusion.nl), dovecot (dovecot at dovecot.org) Subject: Re: Dovecot proxy: authentication best practices On 27/12/2019 16:02 William Edwards <wedwards at cyberfusion.nl> wrote: Hi! I have a few questions regarding Dovecot proxy: 1. 1.1 If I understand correctly, setting 'nopassword' in the proxy passdb file, authentication is completely up to the destination host. Setting 'nopassword' in no way means the proxy becomes an open relay. Is this correct? You still control where it proxies to. 1.2 Are there any security implications when using 'nopassword' on the proxy? As long as its really a proxy, probably no. 2. 2.1 I would like to avoid having to store all users in a passdb file on the proxy. I would much rather specify a domain for which Dovecot proxy will route all users to a specific host. Is there a way to let Dovecot proxy route to a destination host based on domain, so individual users don't have to be specified in the proxy passdb? 2.2 Is it correct that userdb does not have any effect on proxying and it can be left out of the config? Source: https://dovecot.org/pipermail/dovecot/2013-October/093138.html (point 2) userdb is ignored on proxies. For your usecase try following passdb { ? driver = passwd-file ? args = username_format=%Ld /etc/dovecot/domains.passwd } and into domains.passwd domain.com::::::: nopassword proxy host=host1 colon count might be wrong Met vriendelijke groeten, William Edwards T. 040 - 711 44 96 E. wedwards at cyberfusion.nl --- Aki Tuomi -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20191228/ee2f4e3d/attachment.html>