search for: haproxy_trusted_networks

Hi Aki, On 10.02.20 17:03, Aki Tuomi wrote: > Try setting > > login_trusted_networks = lb-ip/32 > > See? > https://doc.dovecot.org/settings/dovecot_core_settings/#login-trusted-networks I do have login-trusted_networks set already. Along with the proxy protocol (haproxy_trusted_networks = lb-ip) I had to set login_trusted_networks to 0.0.0.0/0 actually because the proxy protocol tells dovecot the real clients' IP address and that IP adders is the one actually evaluated for login_trusted_networks. With the plain authentication being done inside the load balancer's TLS conne...

...mode tcp balance leastconn stick store-request src stick-table type ip size 200k expire 30m timeout connect 5000 timeout server 50000 server proxy1 [2001:db8::11]:10110 send-proxy-v2-ssl server proxy2 [2001:db8::22]:10110 send-proxy-v2-ssl --- --- dovecot.conf haproxy_trusted_networks = [2001:db8::]/64 service pop3-login { inet_listener pop3_haproxy { port = 10110 haproxy = yes } } --- It would also be nice if haproxy would support STARTTLS offloading but that's a subject for a different mailing list ;) -- BR, Rok

On 19/8/2015 5:43 ??, Stephan Bosch wrote: > Well... > > http://hg.dovecot.org/dovecot-2.2/rev/4d7a83ddb644 > > Regards, > > Stephan. That was impressive! Thank you Timo and Stephan. You are superb! I hope you will be able to provide some basic guidelines on how to enable/use the new functionality. (I am not very code-literate.) Looking forward to it! Thanks again!

...i Tuomi wrote: > > Try setting > > > > login_trusted_networks = lb-ip/32 > > > > See? > > https://doc.dovecot.org/settings/dovecot_core_settings/#login-trusted-networks > > I do have login-trusted_networks set already. Along with the proxy > protocol (haproxy_trusted_networks = lb-ip) I had to set > login_trusted_networks to 0.0.0.0/0 actually because the proxy protocol > tells dovecot the real clients' IP address and that IP adders is the one > actually evaluated for login_trusted_networks. With the plain > authentication being done inside the load bala...

...stick-table type ip size 200k expire 30m >> timeout connect 5000 >> timeout server 50000 >> server proxy1 [2001:db8::11]:10110 send-proxy-v2-ssl >> server proxy2 [2001:db8::22]:10110 send-proxy-v2-ssl >> --- >> >> --- dovecot.conf >> haproxy_trusted_networks = [2001:db8::]/64 >> service pop3-login { >> inet_listener pop3_haproxy { >> port = 10110 >> haproxy = yes >> } >> } >> --- >> >> It would also be nice if haproxy would support STARTTLS offloading but >> that's a subject...

On 20/8/2015 10:35 ??, Tim Groeneveld wrote: > # This is a list of trusted networks... ips are seperated by ", " > # default, empty > haproxy_trusted_networks = 10.1.2.0/24, 10.2.1.0/24 > > # This is the timeout... in seconds. > # default, 3 > # haproxy_timeout = 3 > > # modify your inet listener's to include haproxy=yes > inet_listener { > haproxy = yes > } Thank you Tim, As soon as I manage to re-build Dovecot with...

...2.24 (a82c823): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.13 (7b14904) # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.5 auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@* default_client_limit = 5000 default_process_limit = 500 disable_plaintext_auth = no haproxy_trusted_networks = 10.10.189.28,10.10.189.29 imap_capability = IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS listen = 10.10.189.25 mail_location = mdbox:%h/mdbox mail_max_userip_connections = 0 mail_plugins = zlib mdbox_rotate_size = 10 M namesp...

...6). Also note that HAproxy is prepared but not in use at all. # 2.2.33.1 (e9afa7f18): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.20 (7cd71ba) # OS: FreeBSD 11.1-RELEASE amd64 auth_mechanisms = plain login disable_plaintext_auth = no doveadm_password = # hidden, use -P to show it haproxy_trusted_networks = IPv4_Haproxy IPv6_Haproxy lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes lmtp_save_to_detail_mailbox = yes mail_fsync = always mail_location = sdbox:~/sdbox mail_plugins = " quota notify replication" managesieve_notify_capability = mailto managesieve_sieve_capability = fil...

...otocols = !SSLv2 !SSLv3 Machine A (the best working machine) # 2.2.28 (bed8434): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.17 (e179378) # OS: FreeBSD 11.0-RELEASE-p8 amd64 auth_mechanisms = plain login disable_plaintext_auth = no doveadm_password = # hidden, use -P to show it haproxy_trusted_networks = XXXX/X lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes lmtp_save_to_detail_mailbox = yes mail_debug = yes mail_fsync = always mail_location = mdbox:~/mdbox mail_plugins = " quota notify replication" managesieve_notify_capability = mailto managesieve_sieve_capability = filei...

...d; -------------- next part -------------- # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (fed8554) # OS: Linux 4.9.0-11-amd64 x86_64 Debian 9.11 auth_mechanisms = plain login default_vsz_limit = 512 M doveadm_password = # hidden, use -P to show it first_valid_uid = 100 haproxy_trusted_networks = 192.168.0.0/24 mail_location = mdbox:~/mdbox:ALT=/srv/mail/alt/%d/%n mail_log_prefix = "%Ls[%p]: user=<%u>, " mail_plugins = " acl notify replication acl stats" managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-charact...

...e basic guidelines on how to > enable/use the new functionality. (I am not very code-literate.) Looking through the code, the functionality should not be too hard to enable using the configuration: # This is a list of trusted networks... ips are seperated by ", " # default, empty haproxy_trusted_networks = 10.1.2.0/24, 10.2.1.0/24 # This is the timeout... in seconds. # default, 3 # haproxy_timeout = 3 # modify your inet listener's to include haproxy=yes inet_listener { haproxy = yes } As for HAProxy, the configuration would look something like this: listen smtp :25 mode tcp...

...store-request src > stick-table type ip size 200k expire 30m > timeout connect 5000 > timeout server 50000 > server proxy1 [2001:db8::11]:10110 send-proxy-v2-ssl > server proxy2 [2001:db8::22]:10110 send-proxy-v2-ssl > --- > > --- dovecot.conf > haproxy_trusted_networks = [2001:db8::]/64 > service pop3-login { > inet_listener pop3_haproxy { > port = 10110 > haproxy = yes > } > } > --- > > It would also be nice if haproxy would support STARTTLS offloading but > that's a subject for a different mailing list ;) >...

...s I manage to re-build Dovecot with the latest snapshot, I'll > test it! Hello, I've built dovecot with a today snapshot from hg (dovecot-2-2-9f815e781beb) and I am trying to enable haproxy. I configured as follows (lines added compared to initial config are marked with +): + haproxy_trusted_networks = 62.217.xxx.xxx/29, 2001:648:xxx:xxx::/64 service auth { + inet_listener { + haproxy = yes + } unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-master { gro...

...t; # 2.2.33.1 (e9afa7f18): /usr/local/etc/dovecot/dovecot.conf > > # Pigeonhole version 0.4.20 (7cd71ba) > > # OS: FreeBSD 11.1-RELEASE amd64 > > auth_mechanisms = plain login > > disable_plaintext_auth = no > > doveadm_password = # hidden, use -P to show it > > haproxy_trusted_networks = IPv4_Haproxy IPv6_Haproxy > > lda_mailbox_autocreate = yes > > lda_mailbox_autosubscribe = yes > > lmtp_save_to_detail_mailbox = yes > > mail_fsync = always > > mail_location = sdbox:~/sdbox > > mail_plugins = " quota notify replication" > > man...

...t see any issue with the settings. Output of doveconf -n: # 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf # OS: Linux 4.19.118-0-vanilla x86_64 CentOS Linux release 7.8.2003 (Core) # Hostname: imap1 disable_plaintext_auth = no doveadm_password = # hidden, use -P to show it first_valid_uid = 1000 haproxy_trusted_networks = 172.16.0.0/24 mail_location = maildir:~/Mail mail_plugins = zlib notify replication mailbox_list_index = yes mailbox_list_index_include_inbox = yes maildir_empty_new = yes mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts }...

Hi, I would like to disable offering starttls to clients for certain dovecot services. Background is that I want to do let a load balancer do the TLS stuff right on connect time and let dovecot only do plain imap without offering starttls (because the clients do imaps actually). Getting rid of the starttls feature offering works only if I set ssl = no globally only. Setting it in the service

...uded below the configurations from server A and B: Server A: # 2.2.25 (7be1766): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.4.14 (099a97c) # OS: FreeBSD 10.3-RELEASE-p2 amd64 auth_mechanisms = plain login disable_plaintext_auth = no doveadm_password = # hidden, use -P to show it haproxy_trusted_networks = YYYY lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes lmtp_save_to_detail_mailbox = yes mail_debug = yes mail_fsync = always mail_location = mdbox:~/mdbox mail_plugins = " quota notify replication" managesieve_notify_capability = mailto managesieve_sieve_capability = fileint...

...roxy 10465 inet n ? n ? 1 postscreen smtpd pass ? ? n ? ? smtpd S ##DOVECOT # 2.2.19 (719e7f8fd70b): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.9 # OS: Linux 2.6.32-41-pve x86_64 Debian 7.9 simfs auth_debug = yes auth_verbose = yes disable_plaintext_auth = no *haproxy_timeout = 5 secs** **haproxy_trusted_networks = x.x.x.x* log_timestamp = "%Y-%m-%d %H:%M:%S " mail_location = maildir:/mailbox/%d/%n mail_max_userip_connections = 0 mail_privileged_group = mail managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress compara...

...h_debug_passwords = yes auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = yes director_mail_servers = 192.168.0.1 at foo 192.168.0.2 at bar 192.168.0.3 at foobar director_servers = x.x.x.x y.y.y.y director_user_expire = 5 mins disable_plaintext_auth = no doveadm_port = 24245 haproxy_trusted_networks = x.x.x.x y.y.y.y 127.0.0.1 login_greeting = Dovecot At Your Service managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify env...

...t; not in use at all. > > # 2.2.33.1 (e9afa7f18): /usr/local/etc/dovecot/dovecot.conf > # Pigeonhole version 0.4.20 (7cd71ba) > # OS: FreeBSD 11.1-RELEASE amd64 > auth_mechanisms = plain login > disable_plaintext_auth = no > doveadm_password = # hidden, use -P to show it > haproxy_trusted_networks = IPv4_Haproxy IPv6_Haproxy > lda_mailbox_autocreate = yes > lda_mailbox_autosubscribe = yes > lmtp_save_to_detail_mailbox = yes > mail_fsync = always > mail_location = sdbox:~/sdbox > mail_plugins = " quota notify replication" > managesieve_notify_capability = mailto...