ich betreibe zwei redundante Dovecot Server mit einem gemeinsamen Maildir auf einem GlusterFS Volume und einem SQL Backend auf Basis einer gespiegelten MariaDB Datenbank.
Aufgrund der Splitbrain Thematik möchte ich gerne noch zwei Dovecot Director als Proxys vorschalten.
Ich stochere nun schon seit einigen Tagen im Nebel und bin mittlerweile immerhin soweit gekommen das sich der Client erfolgreich am Proxy authentifiziert.
Der Proxy leitet die Verbindung auch an die Backend Server weiter, aber es erfolgt keine authentifizierung.
Proxy Log
Code: Alles auswählen
Jan 23 19:48:21 vsrv-***-prx01 dovecot: auth-worker(20760): Debug: sql(***@***.**,192.168.1.100,<sNTHFdOcbeDAqAFk>): Finished passdb lookup
Jan 23 19:48:21 vsrv-***-prx01 dovecot: auth-worker(20760): Debug: conn unix:auth-worker (pid=20753,uid=112): auth-worker<1>: Finished
Jan 23 19:48:21 vsrv-***-prx01 dovecot: auth: Debug: sql(***@***.**,192.168.1.100,<sNTHFdOcbeDAqAFk>): username changed ***@***.** -> ***
Jan 23 19:48:21 vsrv-***-prx01 dovecot: auth: Debug: sql(***,192.168.1.100,<sNTHFdOcbeDAqAFk>): username changed *** -> ***@***.**
Jan 23 19:48:21 vsrv-***-prx01 dovecot: auth: Debug: sql(***@***.**,192.168.1.100,<sNTHFdOcbeDAqAFk>): Finished passdb lookup
Jan 23 19:48:21 vsrv-***-prx01 dovecot: auth: Debug: auth(***@***.**,192.168.1.100,<sNTHFdOcbeDAqAFk>): Auth request finished
Jan 23 19:48:21 vsrv-***-prx01 dovecot: auth: Debug: client passdb out: OK#0111#011user=***@***.**#011proxy#011ssl=any-cert#011starttls=any-cert#011lip=192.168.20.49#011lport=993#011pass=<hidden>
Jan 23 19:48:21 vsrv-***-prx01 dovecot: imap-login: Debug: Ignoring unknown passdb extra field: lip
Jan 23 19:48:21 vsrv-***-prx01 dovecot: imap-login: Debug: Ignoring unknown passdb extra field: lport
J
Code: Alles auswählen
Jan 23 18:48:51 vsrv-***-mta01 dovecot: imap-login: Disconnected (no auth attempts in 30 secs): user=<>, rip=192.168.20.49, lip=192.168.20.28, TLS handshaking: Connection closed, session=<r9yRF9OcZODAqBQx>
Jan 23 18:48:51 vsrv-***-mta01 dovecot: imap-login: Disconnected (no auth attempts in 30 secs): user=<>, rip=192.168.20.49, lip=192.168.20.28, TLS handshaking: Connection closed, session=<4C+SF9OcauDAqBQx>
Jan 23 18:48:51 vsrv-***-mta01 dovecot: imap-login: Disconnected (no auth attempts in 30 secs): user=<>, rip=192.168.20.49, lip=192.168.20.28, TLS handshaking: Connection closed, session=<KDGSF9OcZuDAqBQx>
Jan 23 18:48:51 vsrv-***-mta01 dovecot: imap-login: Disconnected (no auth attempts in 30 secs): user=<>, rip=192.168.20.49, lip=192.168.20.28, TLS handshaking: Connection closed, session=<lwKTF9OcbuDAqBQx>
Proxy Config
Code: Alles auswählen
# 2.3.9.2 (cf2918cac): /etc/dovecot/dovecot.conf
# OS: Linux 4.15.0-74-generic x86_64 Ubuntu 18.04.3 LTS
# Hostname: vsrv-***-prx01
auth_debug = yes
director_mail_servers = 192.168.20.28 192.168.20.29
director_servers = 192.168.20.49:9090 192.168.20.58:9090
disable_plaintext_auth = no
mail_location = mbox:~/mail:INBOX=/var/mail/%u
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
passdb {
driver = pam
}
protocols = " imap"
service director {
inet_listener {
port = 9090
}
unix_listener login/director {
mode = 0666
}
}
service imap-login {
executable = imap-login director
}
service pop3-login {
executable = pop3-login director
}
ssl = required
ssl_cert = </etc/dovecot/private/***-**-fullchain.pem
ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kE$
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
protocol lmtp {
auth_socket_path = director-userdb
}
Code: Alles auswählen
# 2.3.9.2 (cf2918cac): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.9 (db4e9a2f)
# OS: Linux 4.15.0-72-generic x86_64 Ubuntu 18.04.3 LTS
# Hostname: vsrv-**-mta01.**.**.***.**
auth_debug = yes
auth_mechanisms = plain login
mail_attribute_dict = file:%h/Maildir/dovecot-attributes
mail_fsync = always
mail_gid = vmail
mail_home = /var/vmail/mailboxes/%d/%n
mail_location = maildir:~/mail:LAYOUT=fs
mail_nfs_index = yes
mail_nfs_storage = yes
mail_plugins = " notify mail_crypt"
mail_privileged_group = vmail
mail_uid = vmail
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext imapsieve vnd.dovecot.imapsieve
mmap_disable = yes
namespace inbox {
inbox = yes
location =
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Spam {
auto = subscribe
special_use = \Junk
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
plugin {
imapsieve_mailbox1_before = file:/var/vmail/sieve/global/learn-spam.sieve
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_name = Spam
imapsieve_mailbox2_before = file:/var/vmail/sieve/global/learn-ham.sieve
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_from = Spam
imapsieve_mailbox2_name = *
mail_crypt_curve = brainpoolP512r1
mail_crypt_require_encrypted_user_key = # hidden, use -P to show it
mail_crypt_save_version = 2
quota = maildir:User quota
quota_exceeded_message = Benutzer %u hat das Speichervolumen überschritten. / User %u has exhausted allowed storage space.
sieve = file:/var/vmail/sieve/%d/%n/scripts;active=/var/vmail/sieve/%d/%n/active-script.sieve
sieve_before = /var/vmail/sieve/global/spam-global.sieve
sieve_global_extensions = +vnd.dovecot.pipe
sieve_pipe_bin_dir = /usr/bin
sieve_plugins = sieve_imapsieve sieve_extprograms
}
protocols = imap lmtp sieve
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-userdb {
group = vmail
mode = 0660
user = vmail
}
}
service imap-login {
inet_listener imap {
port = 143
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0660
user = postfix
}
user = vmail
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
}
ssl = required
ssl_cert = </etc/letsencrypt/live/******/fullchain.pem
ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}
protocol imap {
imap_idle_notify_interval = 29 mins
mail_max_userip_connections = 20
mail_plugins = " notify mail_crypt quota imap_quota imap_sieve"
}
protocol lmtp {
mail_plugins = " notify mail_crypt sieve"
postmaster_address = postmaster@***.**
}