Hi Aki, On 10.02.20 17:03, Aki Tuomi wrote:> Try setting > > login_trusted_networks = lb-ip/32 > > See? > https://doc.dovecot.org/settings/dovecot_core_settings/#login-trusted-networksI do have login-trusted_networks set already. Along with the proxy protocol (haproxy_trusted_networks = lb-ip) I had to set login_trusted_networks to 0.0.0.0/0 actually because the proxy protocol tells dovecot the real clients' IP address and that IP adders is the one actually evaluated for login_trusted_networks. With the plain authentication being done inside the load balancer's TLS connection this is more or less obvious that this is needed in that case. But those settings don't change the pity: ssl=no is globally required to make the starttls options disappear for imap-login - but with ssl=no globally I don't see a possibility to enable the starttls option for other services like managesieve for example. Thanks Bj?rn
> On 10/02/2020 19:17 Bjoern Jacke <lists2020 at j3e.de> wrote: > > > Hi Aki, > > On 10.02.20 17:03, Aki Tuomi wrote: > > Try setting > > > > login_trusted_networks = lb-ip/32 > > > > See? > > https://doc.dovecot.org/settings/dovecot_core_settings/#login-trusted-networks > > I do have login-trusted_networks set already. Along with the proxy > protocol (haproxy_trusted_networks = lb-ip) I had to set > login_trusted_networks to 0.0.0.0/0 actually because the proxy protocol > tells dovecot the real clients' IP address and that IP adders is the one > actually evaluated for login_trusted_networks. With the plain > authentication being done inside the load balancer's TLS connection this > is more or less obvious that this is needed in that case. > > But those settings don't change the pity: ssl=no is globally required to > make the starttls options disappear for imap-login - but with ssl=no > globally I don't see a possibility to enable the starttls option for > other services like managesieve for example. > > Thanks > Bj?rnWith haproxy you need to - configure HAproxy to use PROXYv1 or PROXYv2 to protocol to pass connections details to dovecot. With recent enough dovecot, you can include TLS information with haproxy to dovecot. - configure login_trusted_networks and haproxy_trusted_networks - set 'haproxy=yes' to the listener you are connecting with haproxy, so dovecot knows to expect and parse the proxy protocol. Aki
Hello Aki, On 10.02.20 20:34, Aki Tuomi wrote:> - configure HAproxy to use PROXYv1 or PROXYv2 to protocol to pass connections details to dovecot. With recent enough dovecot, you can include TLS information with haproxy to dovecot. > - configure login_trusted_networks and haproxy_trusted_networks > - set 'haproxy=yes' to the listener you are connecting with haproxy, so dovecot knows to expect and parse the proxy protocol.that part is working fine. Whether it's a proxied or non-proxied config can be ignored here. The essential question broken down to a minimum is, is there any way to 1) configure a dovecot service with plain unencrypted authentication (like imap-login for example) that also _does_not_ advertise starttls and at the same time 2) configure another dovecot service (like managesieve for example) that _does_ advertise starttls? Thanks Bj?rn