Am 21.10.22 um 13:14 schrieb Amol Kulkarni:> Nginx has an mail proxy for pop, imap, smtp. > Can it be used instead of director ? > >Nginx can authenticate imap/smtp (and probably pop3) users. If you that, you can define a backend server the session is routed to. Currently I use that approach to authenticate users by client certificates and route them to the appriopriate backend (well, I only have one ;-). -- Cheers spi -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20221021/3b0f0e6d/attachment.htm>
Nginx is an excellent suggestion for the purpose. However I do not like German client certificates. That is far too much "proof" of identification 18/21++ on a public network with nowhere to hide and those of us who are not German citizens and do not have the advantage of a friendly local police jurisdiction with massive international clout and an assumed legitimacy for all the online surveillance, policing, and copping with unfounded sex charges etc. being pressed online. Not that I care much for alcohol, but the analogy that comes to mind with such "proof" of identity presented across the internet as a public certificate is that of "public drunkenness," versus, say, "drinking privately in one's quarters," i.e., making an encrypted connection, and only then within the encrypted channel establishing identity and authorization with a username and password or other means of authentication. On Friday, October 21, 2022 3:29:36 AM AKDT, spi wrote:> Am 21.10.22 um 13:14 schrieb Amol Kulkarni: >> Nginx has an mail proxy for pop, imap, smtp. >> Can it be used instead of director ? >> >> > Nginx can authenticate imap/smtp (and probably pop3) users. If you that, > you can define a backend server the session is routed to. Currently I > use that approach to authenticate users by client certificates and route > them to the appriopriate backend (well, I only have one ;-). > > -- > Cheers > spi > >
On 2022-10-21 04:29, spi wrote:> Am 21.10.22 um 13:14 schrieb Amol Kulkarni: >> Nginx has an mail proxy for pop, imap, smtp. >> Can it be used instead of director ? > Nginx can authenticate imap/smtp (and probably pop3) users. If you that, > you can define a backend server the session is routed to. Currently I > use that approach to authenticate users by client certificates and route > them to the appriopriate backend (well, I only have one ;-).we've recently switched to director, but we used to use nginx for this as well (we started using nginx before director existed). if you load balance the nginx proxies themselves, you can easily handle hundreds of thousands of concurrent imap connections with them. in debian/ubuntu, i don't think the nginx packages include the mail proxy bits. iirc, we had to compile nginx ourselves with the mail proxy bits included. the nginx config is pretty simple, you have to pre-specifiy the capabilities for each protocol and set up some sort of way for nginx to auth and get which backend node to send to as spi notes (in this example, it's an http call): mail { auth_http localhost:8080/cgi-bin/auth; proxy_pass_error_message on; pop3_capabilities "TOP" "UIDL" "RESP-CODES" "PIPELINING" "AUTH-RESP-CODE" "USER" "SASL PLAIN" "SASL PLAIN LOGIN"; server { listen 110; protocol pop3; proxy on; } imap_capabilities "IMAP4rev1" "LITERAL+" "SASL-IR" "LOGIN-REFERRALS" "IDLE"; server { listen 143; protocol imap; proxy on; } } localhost:8080/cgi-bin/auth then just auths the user/pass that nginx gets from the incoming request and returns success and the next hop for nginx to proxy to. the only real difficulty is that you then need to write your own state system into your cgi auth script to ensure that users get sent to the same backend imap server if they already have an existing connection and have some way to safely fail over to other backend imap servers should one go down. (it's nice to have director handle this state stuff for you)