This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.

Proxying

Dovecot supports proxying IMAP, POP3 and LMTP connections to other hosts. The proxying can be done for all users, or only for some specific users. There are two ways to do the authentication:

  1. Forward the password to the remote server. The proxy may or may not perform authentication itself. This requires that the client uses only plaintext authentication, or alternatively the proxy has access to users' passwords in plaintext.
  2. Let Dovecot proxy perform the authentication and login to remote server using the proxy's master password. This allows client to use also non-plaintext authentication.

The proxy is configured pretty much the same way as login referrals, with the addition of proxy field. The common fields to use for both proxying ways are:

You can use SSL/TLS connection to destination server by returning:

Set login_trusted_networks to point to the proxies in the backends. This way you'll get the clients' actual IP addresses logged instead of the proxy's.

The destination servers don't need to be running Dovecot, but you should make sure that the Dovecot proxy doesn't advertise more capabilities than the destination server can handle. For IMAP you can do this by changing imap_capability setting. For POP3 you'll have to modify Dovecot's sources for now (src/pop3/capability.h). Dovecot also automatically sends updated untagged CAPABILITY reply if it detects that the remote server has different capabilities than what it already advertised to the client, but some clients simply ignore the updated CAPABILITY reply.

v2.2.14+: If your proxy handles a lot of connections (~64k) to the same destination IP you may run out of TCP ports. The only way to work around this is to use either multiple destination IPs or ports, or multiple source IPs. Multiple source IPs can be easily used by adding them to the login_source_ips setting in dovecot.conf. You can also use hostnames which expand to multiple IPs. By prefixing the setting with "?" (e.g. login_source_ips = ?proxy-sources.example.com) Dovecot will use only those IPs that actually exist in the server, allowing you to share the same config file with multiple servers.

Password forwarding

If you don't want proxy itself to do authentication, you can configure it to succeed with any given password. You can do this by returning an empty password and nopassword field.

Master password

This way of forwarding requires the destination server to support master user feature. The users will be normally authenticated in the proxy and the common proxy fields are returned, but you'll need to return two fields specially:

See Authentication/MasterUsers for more information how to configure this.

Example password forwarding SQL configuration

Create the SQL table:

CREATE TABLE proxy (
  user varchar(255) NOT NULL,
  host varchar(16) default NULL,
  destuser varchar(255) NOT NULL default '',
  PRIMARY KEY  (user)
);

Insert data to SQL corresponding your users.

Working data could look like this:

user

host

destuser

john

192.168.0.1

joe

192.168.0.2

joe@example.com

The important parts of dovecot.conf:

# If you want to trade a bit of security for higher performance, change these settings:
service imap-login {
  service_count = 0
}
service pop3-login {
  service_count = 0
}

# If you are not moving mailboxes between hosts on a daily basis you can
# use authentication cache pretty safely.
auth_cache_size = 4096

auth_mechanisms = plain
passdb {
  driver = sql
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
}

The important parts of dovecot-sql.conf.ext:

driver = mysql
connect = host=sqlhost1 host=sqlhost2 dbname=mail user=dovecot password=secret
password_query = SELECT NULL AS password, 'Y' as nopassword, host, destuser, 'Y' AS proxy FROM proxy WHERE user = '%u'

Example proxy_maybe SQL configuration

Create the SQL table:

CREATE TABLE users (
  user varchar(255) NOT NULL,
  domain varchar(255) NOT NULL,
  password varchar(100) NOT NULL,
  host varchar(16) NOT NULL,
  home varchar(100) NOT NULL,
  PRIMARY KEY (user)
);

The important parts of dovecot.conf:

# user/group who owns the message files:
mail_uid = vmail
mail_gid = vmail

auth_mechanisms = plain

passdb {
  driver = sql
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
}
userdb sql {
  driver = sql
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
}

The important parts of dovecot-sql.conf.ext:

driver = mysql

password_query = \
  SELECT concat(user, '@', domain) AS user, password, host, 'Y' AS proxy_maybe \
  FROM users WHERE user = '%n' AND domain = '%d'

user_query = SELECT user AS username, domain, home \
  FROM users WHERE user = '%n' AND domain = '%d'

Example proxy LDAP configuration

see: PasswordDatabase/ExtraFields for more information, and a worked out example

PasswordDatabase/ExtraFields/Proxy (last edited 2014-06-16 17:00:33 by TimoSirainen)