dovecot - Sep 2020 - Dovecot Proxy

Hello everyone,

it's my first post here on this mailing list and I hope, I make it right.

I posted a question on 
https://serverfault.com/questions/1031441/dovecot-as-proxy-with-submission 
and nobody was able to answer it. So I decided to push that question 
here (I'm talking about any new dovecot version and I've tested it with 
2.3.4.1 (f79e8e7e4)).

I try to run a dovecot proxy in front of a big number of mail servers 
(serving SMTP-in, submission, IMAP, POP3, Sieve). I need that proxy, 
because I run out of IPv4 addresses. Of course I use IPv6 too, but many 
customers still have problems with there providers and they really don't 
want to share their mails on a "shared-mailserver". I planed to use 
Dovecot for IMAPS, POP3S, SMTP-submission(465) and postfix for the rest. 
If I find a solution for sieve, I would try that too, but that is very 
optional.

With the documentation https://wiki1.dovecot.org/HowTo/ImapProxy (which 
is really old and should be updated) and some other ascii docs (from an 
Apple mirror somewhere deep in the web) I was able to build a IMAP/POP3 
proxy that forwards requests from outside to a specific backend using 
SSL (993,995). That works - I think.You can find the config on the 
serverfault page.

In general - all known domains in backend are using SSL and the passdb 
forwards all requests to the backend via SSL. So - I understand:||

|password_query  ? SELECT
 ? ? NULL AS password,
 ? ? NULL AS destuser,
 ? ? host,
 ? ? 'Y' AS nologin,
 ? ? 'Y' AS nodelay,
 ? ? 'Y' AS nopassword,
 ? ? 'Y' AS proxy,
 ? ? 'any-cert' AS `ssl`
 ? FROM
 ? ? proxy_domain
 ? WHERE
 ? ? domain = '%d' |

But that is only 50% of the show. The rest ist submission (and maybe 
sieve). Practically the submission implementation in dovecot works too. 
But because dovecot by default only opens port 587 (starttls), my passdb 
setting has a problem.

When I try to use that port Dovecot tries to use SSL on the backend/587 
too - but that is wrong (it should either use 465 or should try to use 
starttls).

So, I have the following options.

- find a way to configure dovecot-proxy to listen on 465 with SSL for 
submission service and hope that it uses the same port
 ? - but I didn't find any documentation for that and need help

- find a way to configure dovecot-proxy/passdb to return starttls=y when 
dovecot-submission is used (use a different passdb)
 ? - but I didn't find any documentation for that and I'm not sure, if 
this worls on service/protocol level

- find a way to configure the passdb answer based on the used 
port/protocol. But I only know the parameter %u, %d and %p.
 ? - so it would be nice to find a way to also select the protocol (if 
already developed)

- find a way to make a patch in dovecot (which isn't easy for me, 
because I don't really know the code)

Has somebody an idea, how I can configure the dovecot-proxy in that way.

bye
Thoralf

Hi Thoralf,

I?d say first of all you should read the current docs for 2.x not the archived
stuff. ?> https://wiki2.dovecot.org/ - (It?s even mentioned in bold in the
header)

Then to front multiple backends perhaps you want to take a look at Dovecot
Director. ?> https://wiki2.dovecot.org/Director

About SMTP I?m not sure why you would want to rely on Dovecot for that. I only
do Postfix with Dovecot as auth backend so they can share passdb access. When
you have 465 set up it is no big deal to also enable 587 in Postfixs master.cf.

If you want to keep Dovecot for Submission you can check the latest docs for
Dovecot submission service:
https://doc.dovecot.org/admin_manual/submission_server/. It has a relay server
option with port. Also settings for STARTTLS etcpp can be found there.


Mahlzeit!

Philon
> On 31 Aug 2020, at 11:33, Thoralf Rickert-Wendt <trw at acoby.de>
wrote:
> 
> Hello everyone,
> 
> it's my first post here on this mailing list and I hope, I make it
right.
> 
> I posted a question on
https://serverfault.com/questions/1031441/dovecot-as-proxy-with-submission and
nobody was able to answer it. So I decided to push that question here (I'm
talking about any new dovecot version and I've tested it with 2.3.4.1
(f79e8e7e4)).
> 
> I try to run a dovecot proxy in front of a big number of mail servers
(serving SMTP-in, submission, IMAP, POP3, Sieve). I need that proxy, because I
run out of IPv4 addresses. Of course I use IPv6 too, but many customers still
have problems with there providers and they really don't want to share their
mails on a "shared-mailserver". I planed to use Dovecot for IMAPS,
POP3S, SMTP-submission(465) and postfix for the rest. If I find a solution for
sieve, I would try that too, but that is very optional.
> 
> With the documentation https://wiki1.dovecot.org/HowTo/ImapProxy (which is
really old and should be updated) and some other ascii docs (from an Apple
mirror somewhere deep in the web) I was able to build a IMAP/POP3 proxy that
forwards requests from outside to a specific backend using SSL (993,995). That
works - I think.You can find the config on the serverfault page.
> 
> In general - all known domains in backend are using SSL and the passdb
forwards all requests to the backend via SSL. So - I understand:||
> 
> |password_query >   SELECT
>     NULL AS password,
>     NULL AS destuser,
>     host,
>     'Y' AS nologin,
>     'Y' AS nodelay,
>     'Y' AS nopassword,
>     'Y' AS proxy,
>     'any-cert' AS `ssl`
>   FROM
>     proxy_domain
>   WHERE
>     domain = '%d' |
> 
> But that is only 50% of the show. The rest ist submission (and maybe
sieve). Practically the submission implementation in dovecot works too. But
because dovecot by default only opens port 587 (starttls), my passdb setting has
a problem.
> 
> When I try to use that port Dovecot tries to use SSL on the backend/587 too
- but that is wrong (it should either use 465 or should try to use starttls).
> 
> So, I have the following options.
> 
> - find a way to configure dovecot-proxy to listen on 465 with SSL for
submission service and hope that it uses the same port
>   - but I didn't find any documentation for that and need help
> 
> - find a way to configure dovecot-proxy/passdb to return starttls=y when
dovecot-submission is used (use a different passdb)
>   - but I didn't find any documentation for that and I'm not sure,
if this worls on service/protocol level
> 
> - find a way to configure the passdb answer based on the used
port/protocol. But I only know the parameter %u, %d and %p.
>   - so it would be nice to find a way to also select the protocol (if
already developed)
> 
> - find a way to make a patch in dovecot (which isn't easy for me,
because I don't really know the code)
> 
> Has somebody an idea, how I can configure the dovecot-proxy in that way.
> 
> bye
> Thoralf
> 
>

Hi Philon,

now, it's time for "Mahlzeit" ;-)

Sorry, that I read the wiki1 instead of wiki2. I thought the 1 means 
that it is server one of ... my fault. Also not reading the first line 
above the menu. My focus was really on the content. ;-)

Also my problem with the doc of Dovecot2 proxy is, that the document 
https://doc.dovecot.org/configuration_manual/authentication/proxies/ has 
less details for a domain only example. That works as in the Dovecot1 
doc, but it isn't documented anymore. Also the location under 
"authentication" chapter in the Wiki didn't tell me, that this is
the
"new Dovecot proxy documentation". I thought, this was only related to
authentication issues. I would recommend to either restructure the 
wiki2, that it makes it more clear to the user or make some notes on 
https://doc.dovecot.org/admin_manual/dovecot_proxy/ and link to the 
passdb setting on 
https://doc.dovecot.org/configuration_manual/forwarding_parameters/ and 
https://doc.dovecot.org/configuration_manual/authentication/proxies/. 
Maybe there are other documents related to Proxy too, like the SNI 
settings etc. But maybe I'm the only one on the planet, that tries to 
use that. It feels a little bit like that.

The Director would be interesting, if all the mailservers in the backend 
would know each other. But thats not the case. Mailserver A and 
Mailserver B are hosting complete different domains with a complete 
different user list and complete different user admins, etc. Also 
mailcow doesnt enabled the director. So it will not help much. But it 
could be interesting, if I have multiple proxies.

Yes, the submission service inside Dovecot is there. And I tried to 
avoid to install multiple "programs" and if there is one
"program" that
handles it all, why don't use it. And I'd like to quote the first line 
of the Dovecot proxy doc: "Dovecot supports proxying IMAP, POP3, 
Submission Server 
<https://doc.dovecot.org/admin_manual/submission_server/#submission-server>,
LMTP Server 
<https://doc.dovecot.org/configuration_manual/protocols/lmtp_server/#lmtp-server>,
and Pigeonhole ManageSieve Server 
<https://doc.dovecot.org/admin_manual/pigeonhole_managesieve_server/#pigeonhole-managesieve-server>
connections to other hosts.".

Also I tried to open the Dovecot authentication mechanism for postfix 
(for submission) with


service auth {
 ? user = root
 ? unix_listener /var/spool/postfix/private/auth {
 ??? group = postfix
 ??? mode = 0660
 ??? user = postfix
 ? }
}

And on Postfix part with

smtpd_sasl_auth_enabled = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

But the postfix login is always accepted (even with wrong passwords) and 
after I start to write a Mail the connection get lost after RCPT 
command. There is another problem. Before I infestigate it, I would try 
my luck with Dovecot. It is already asking the correct backend 
submission server but with SSL on a non-SSL port.

So - someone included the Submission protocol in Dovecot and someone 
wrote, that the submission could be proxied - but - its not completly 
documented or "it doesn't work" within a SSL environment. I
searched for
a simple example, where IMAP and POP3 are proxied via SSL and Submission 
too (which would mean, that Dovecot submission listens on 465) or via 
STARTTLS on 587 and redirecting it also to STARTTLS/587. But I didn't 
find anything. Also the submission documentation doesnt help, because I 
cant see any line of configuration file in it.

Ok, but first - lunchtime.

bye
Thoralf

Am 01.09.20 um 09:43 schrieb Philon:
> Hi Thoralf,
>
> I?d say first of all you should read the current docs for 2.x not the
archived stuff. ?> https://wiki2.dovecot.org/ - (It?s even mentioned in bold
in the header)
>
> Then to front multiple backends perhaps you want to take a look at Dovecot
Director. ?> https://wiki2.dovecot.org/Director
>
> About SMTP I?m not sure why you would want to rely on Dovecot for that. I
only do Postfix with Dovecot as auth backend so they can share passdb access.
When you have 465 set up it is no big deal to also enable 587 in Postfixs
master.cf.
>
> If you want to keep Dovecot for Submission you can check the latest docs
for Dovecot submission service:
https://doc.dovecot.org/admin_manual/submission_server/. It has a relay server
option with port. Also settings for STARTTLS etcpp can be found there.
>
>
> Mahlzeit!
>
> Philon
>
>> On 31 Aug 2020, at 11:33, Thoralf Rickert-Wendt <trw at acoby.de>
wrote:
>>
>> Hello everyone,
>>
>> it's my first post here on this mailing list and I hope, I make it
right.
>>
>> I posted a question on
https://serverfault.com/questions/1031441/dovecot-as-proxy-with-submission and
nobody was able to answer it. So I decided to push that question here (I'm
talking about any new dovecot version and I've tested it with 2.3.4.1
(f79e8e7e4)).
>>
>> I try to run a dovecot proxy in front of a big number of mail servers
(serving SMTP-in, submission, IMAP, POP3, Sieve). I need that proxy, because I
run out of IPv4 addresses. Of course I use IPv6 too, but many customers still
have problems with there providers and they really don't want to share their
mails on a "shared-mailserver". I planed to use Dovecot for IMAPS,
POP3S, SMTP-submission(465) and postfix for the rest. If I find a solution for
sieve, I would try that too, but that is very optional.
>>
>> With the documentation https://wiki1.dovecot.org/HowTo/ImapProxy (which
is really old and should be updated) and some other ascii docs (from an Apple
mirror somewhere deep in the web) I was able to build a IMAP/POP3 proxy that
forwards requests from outside to a specific backend using SSL (993,995). That
works - I think.You can find the config on the serverfault page.
>>
>> In general - all known domains in backend are using SSL and the passdb
forwards all requests to the backend via SSL. So - I understand:||
>>
>> |password_query >>    SELECT
>>      NULL AS password,
>>      NULL AS destuser,
>>      host,
>>      'Y' AS nologin,
>>      'Y' AS nodelay,
>>      'Y' AS nopassword,
>>      'Y' AS proxy,
>>      'any-cert' AS `ssl`
>>    FROM
>>      proxy_domain
>>    WHERE
>>      domain = '%d' |
>>
>> But that is only 50% of the show. The rest ist submission (and maybe
sieve). Practically the submission implementation in dovecot works too. But
because dovecot by default only opens port 587 (starttls), my passdb setting has
a problem.
>>
>> When I try to use that port Dovecot tries to use SSL on the backend/587
too - but that is wrong (it should either use 465 or should try to use
starttls).
>>
>> So, I have the following options.
>>
>> - find a way to configure dovecot-proxy to listen on 465 with SSL for
submission service and hope that it uses the same port
>>    - but I didn't find any documentation for that and need help
>>
>> - find a way to configure dovecot-proxy/passdb to return starttls=y
when dovecot-submission is used (use a different passdb)
>>    - but I didn't find any documentation for that and I'm not
sure, if this worls on service/protocol level
>>
>> - find a way to configure the passdb answer based on the used
port/protocol. But I only know the parameter %u, %d and %p.
>>    - so it would be nice to find a way to also select the protocol (if
already developed)
>>
>> - find a way to make a patch in dovecot (which isn't easy for me,
because I don't really know the code)
>>
>> Has somebody an idea, how I can configure the dovecot-proxy in that
way.
>>
>> bye
>> Thoralf
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200901/1e9c6631/attachment.html>

On 31 Aug 2020, at 03:33, Thoralf Rickert-Wendt <trw at acoby.de>
wrote:
> documentation https://wiki1.dovecot.org/HowTo/ImapProxy (which is really
old and should be updated)
That is documentation for Dovecott version 1 (that's the 1 in wiki1).

Other than that, I can't help you, but this documentation is aboslitley not
relevant to version 2.x. This might help:

<https://wiki.dovecot.org/HowTo/ImapcProxy>

(I don't know why it is Imapc Proxy, but so it goes)





-- 
"Are you pondering what I'm pondering?"
Pinky: (talking to his reflection in the mirror) Pinky, are you
	pondering what I'm pondering?
Pinky's Reflection: Why, yes,
	Pinky! Yes, I am! But where would you get a chicken, 20 yards of
	spandex and smelling salts at this hour?