Dovecot proxying to some backend using LOGIN proxy_mech

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Dovecot proxying to some backend using LOGIN proxy_mech

Dovecot mailing list

Hello list,

 

I am currently testing a setup for a PoC wit this configuration.

 

- 1 x Frontend dovecot for proxying IMAP/POP3/LMTP/ManageSieve/Submission

- 2 x Backend dovecot with local mail storage

 

The frontend does the user authentification and communicate with the backends using a master password

The fronted accepts PLAIN and LOGIN auth mechanisms and talk with backends using PLAIN auth mechanism (with the master password).

This works very well, it's cool.

 

Then, I've added to this setup an existing mail server (running another mailserver software) as a 3rd backend, and would like the frontend to also proxy for this, but this time not using master password.

This is working for IMAP/POP3 when it uses PLAIN auth, but not for Submission. The backend server in this case only accepts LOGIN auth and not PLAIN on port 587.

 

So I found out there is a field in the passdb we can add (proxy_mech), and I've set it to LOGIN.

 

The frontend seems to now use LOGIN auth mech to talk to this 3rd backend, but the authentication still fails.

According to the backend logs, tt seems dovecot proxy is now using LOGIN auth, but sends garbage as username and/or password.

Also IMAP that was working when using PLAIN doesn't work anymore with LOGIN.

 

Might this be a bug or this setup shouldn't be supported at all ?

 

Passdb MySQL table on frontend:

mysql> describe users;

+-------------+--------------+------+-----+---------+-------+

| Field       | Type         | Null | Key | Default | Extra |

+-------------+--------------+------+-----+---------+-------+

| user        | varchar(255) | NO   | PRI | NULL    |       |

| domain      | varchar(255) | NO   | PRI | NULL    |       |

| password    | varchar(255) | YES  |     | NULL    |       |

| displayname | varchar(255) | YES  |     | NULL    |       |

| host        | varchar(16)  | NO   |     | NULL    |       |

| usemaster   | tinyint(1)   | NO   |     | 1       |       |

| proxy_mech  | varchar(20)  | YES  |     | NULL    |       |

| starttls    | varchar(20)  | YES  |     | NULL    |       |

+-------------+--------------+------+-----+---------+-------+

 

 

mailstore-01/02 are dovecot backends

otherhost is the other mailserver I also would like to proxy through dovecot proxy

 

+---------+-----------------+-----------------------------------------+----------------+--------------+-----------+------------+----------+

| user    | domain          | password                                | displayname    | host         | usemaster | proxy_mech | starttls |

+---------+-----------------+-----------------------------------------+----------------+--------------+-----------+------------+----------+

| user1   | somedomain.com  | {SHA512-CRYPT}<some_crypted_pass>       | Joe Black      | mailstore-01 |         1 | NULL       | NULL     |

| user2   | otherdomain.com | {SHA512-CRYPT}<some_crypted_pass>       | Mr. Smith      | mailstore-02 |         1 | NULL       | NULL     |

| user3   | area13.com      | NULL                                    | Donald Duck    | otherhost    |         0 | LOGIN      | any-cert |

| user4   | area13.com      | NULL                                    | Thanks Obama   | otherhost    |         0 | LOGIN      | any-cert |

+---------+-----------------+-----------------------------------------+----------------+--------------+-----------+------------+----------+

 

Passdb query :

 

password_query = \

  SELECT concat(user, '@', domain) AS user, password, host, 'Y' AS proxy, \

    IF(usemaster is TRUE, 'supermasteruserl', NULL) as master, \

    IF(usemaster is TRUE, 'supermasterpassword', pass) as pass, \

    IF(usemaster is FALSE, 'Y', NULL) as nopassword, \

    proxy_mech, \

    starttls \

    FROM users WHERE user = '%n' AND domain = '%d'

 

Some questions I'm asking myself:

Is proxying using LOGIN proxy_mech supported at all to auth on backends ?

Is dovecot proxying to "otherhost" supposed to decode original client auth (using PLAIN) and translate it to LOGIN format to auth with "otherhost" ?

 

 

# otherhost port 587 log

Without specifying proxy_mech

[2019.09.19] 09:27:22.167 [192.168.60.220][3070269] cmd: EHLO dovecotproxy.local.domain

[2019.09.19] 09:27:22.167 [192.168.60.220][3070269] rsp: 250-dovecotproxy.local.domain Hello [192.168.60.220]250-SIZE 52428800250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250-DSN250 OK

[2019.09.19] 09:27:22.167 [192.168.60.220][3070269] cmd: AUTH PLAIN <base64string>

[2019.09.19] 09:27:22.167 [192.168.60.220][3070269] rsp: 504 Unrecognized authentication type.

 

When using proxy_mech LOGIN

[2019.09.20] 08:24:45.201 [192.168.60.220][24148464] cmd: AUTH LOGIN =

[2019.09.20] 08:24:45.201 [192.168.60.220][24148464] Exception: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.

[2019.09.20] 08:24:45.201 [192.168.60.220][24148464] rsp: 535 Authentication failed

 

# otherhost port 143 log

Works without specyfing proxy_mech

 

When using proxy_mech LOGIN (fails)

[2019.09.20] 03:37:20.896 [192.168.60.220][26310645] connected at 20.09.2019 03:37:20

[2019.09.20] 03:37:20.896 [192.168.60.220][26310645] command: C CAPABILITY

[2019.09.20] 03:37:20.896 [192.168.60.220][26310645] response: * CAPABILITY IMAP4rev1 AUTH=CRAM-MD5 AUTH=PLAIN UIDPLUS QUOTA XLIST CHILDREN ENABLE IDLE STARTTLS

[2019.09.20] 03:37:20.896 [192.168.60.220][26310645] response: C OK CAPABILITY completed

[2019.09.20] 03:37:20.896 [192.168.60.220][26310645] command: L AUTHENTICATE LOGIN

[2019.09.20] 03:37:20.927 [192.168.60.220][26310645] disconnected at 20.09.2019 03:37:20

 

I hope I explained my setup so it's kinda understandable. I'm not good at explaining things :)

 

Thank you for your help!

 

root@mailfront-01:~# dovecot --version

2.3.7.2 (3c910f64b)

 

 

Sébastien RICCIO

SYSTEM ADMINISTRATOR

 

Reply | Threaded
Open this post in threaded view
|

RE: Dovecot proxying to some backend using LOGIN proxy_mech

Dovecot mailing list

Hello List,

 

Pardon me for bumping this topic, but does anyone had (positive ?) experience with dovecot proxying using LOGIN proxy_mech instead of PLAIN ?

I tried to resolve this on my own but I have not path to follow yet.  I’m not even sure if this is supposed to work 😊

 

Kind regards

--SR

 

From: dovecot <[hidden email]> On Behalf Of Sébastien Riccio via dovecot
Sent: samedi, 21 septembre 2019 12:33
To: [hidden email]
Subject: Dovecot proxying to some backend using LOGIN proxy_mech

 

Hello list,

 

I am currently testing a setup for a PoC wit this configuration.

 

- 1 x Frontend dovecot for proxying IMAP/POP3/LMTP/ManageSieve/Submission

- 2 x Backend dovecot with local mail storage

 

The frontend does the user authentification and communicate with the backends using a master password

The fronted accepts PLAIN and LOGIN auth mechanisms and talk with backends using PLAIN auth mechanism (with the master password).

This works very well, it's cool.

 

Then, I've added to this setup an existing mail server (running another mailserver software) as a 3rd backend, and would like the frontend to also proxy for this, but this time not using master password.

This is working for IMAP/POP3 when it uses PLAIN auth, but not for Submission. The backend server in this case only accepts LOGIN auth and not PLAIN on port 587.

 

So I found out there is a field in the passdb we can add (proxy_mech), and I've set it to LOGIN.

 

The frontend seems to now use LOGIN auth mech to talk to this 3rd backend, but the authentication still fails.

According to the backend logs, tt seems dovecot proxy is now using LOGIN auth, but sends garbage as username and/or password.

Also IMAP that was working when using PLAIN doesn't work anymore with LOGIN.

 

Might this be a bug or this setup shouldn't be supported at all ?

 

Passdb MySQL table on frontend:

mysql> describe users;

+-------------+--------------+------+-----+---------+-------+

| Field       | Type         | Null | Key | Default | Extra |

+-------------+--------------+------+-----+---------+-------+

| user        | varchar(255) | NO   | PRI | NULL    |       |

| domain      | varchar(255) | NO   | PRI | NULL    |       |

| password    | varchar(255) | YES  |     | NULL    |       |

| displayname | varchar(255) | YES  |     | NULL    |       |

| host        | varchar(16)  | NO   |     | NULL    |       |

| usemaster   | tinyint(1)   | NO   |     | 1       |       |

| proxy_mech  | varchar(20)  | YES  |     | NULL    |       |

| starttls    | varchar(20)  | YES  |     | NULL    |       |

+-------------+--------------+------+-----+---------+-------+

 

 

mailstore-01/02 are dovecot backends

otherhost is the other mailserver I also would like to proxy through dovecot proxy

 

+---------+-----------------+-----------------------------------------+----------------+--------------+-----------+------------+----------+

| user    | domain          | password                                | displayname    | host         | usemaster | proxy_mech | starttls |

+---------+-----------------+-----------------------------------------+----------------+--------------+-----------+------------+----------+

| user1   | somedomain.com  | {SHA512-CRYPT}<some_crypted_pass>       | Joe Black      | mailstore-01 |         1 | NULL       | NULL     |

| user2   | otherdomain.com | {SHA512-CRYPT}<some_crypted_pass>       | Mr. Smith      | mailstore-02 |         1 | NULL       | NULL     |

| user3   | area13.com      | NULL                                    | Donald Duck    | otherhost    |         0 | LOGIN      | any-cert |

| user4   | area13.com      | NULL                                    | Thanks Obama   | otherhost    |         0 | LOGIN      | any-cert |

+---------+-----------------+-----------------------------------------+----------------+--------------+-----------+------------+----------+

 

Passdb query :

 

password_query = \

  SELECT concat(user, '@', domain) AS user, password, host, 'Y' AS proxy, \

    IF(usemaster is TRUE, 'supermasteruserl', NULL) as master, \

    IF(usemaster is TRUE, 'supermasterpassword', pass) as pass, \

    IF(usemaster is FALSE, 'Y', NULL) as nopassword, \

    proxy_mech, \

    starttls \

    FROM users WHERE user = '%n' AND domain = '%d'

 

Some questions I'm asking myself:

Is proxying using LOGIN proxy_mech supported at all to auth on backends ?

Is dovecot proxying to "otherhost" supposed to decode original client auth (using PLAIN) and translate it to LOGIN format to auth with "otherhost" ?

 

 

# otherhost port 587 log

Without specifying proxy_mech

[2019.09.19] 09:27:22.167 [192.168.60.220][3070269] cmd: EHLO dovecotproxy.local.domain

[2019.09.19] 09:27:22.167 [192.168.60.220][3070269] rsp: 250-dovecotproxy.local.domain Hello [192.168.60.220]250-SIZE 52428800250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250-DSN250 OK

[2019.09.19] 09:27:22.167 [192.168.60.220][3070269] cmd: AUTH PLAIN <base64string>

[2019.09.19] 09:27:22.167 [192.168.60.220][3070269] rsp: 504 Unrecognized authentication type.

 

When using proxy_mech LOGIN

[2019.09.20] 08:24:45.201 [192.168.60.220][24148464] cmd: AUTH LOGIN =

[2019.09.20] 08:24:45.201 [192.168.60.220][24148464] Exception: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.

[2019.09.20] 08:24:45.201 [192.168.60.220][24148464] rsp: 535 Authentication failed

 

# otherhost port 143 log

Works without specyfing proxy_mech

 

When using proxy_mech LOGIN (fails)

[2019.09.20] 03:37:20.896 [192.168.60.220][26310645] connected at 20.09.2019 03:37:20

[2019.09.20] 03:37:20.896 [192.168.60.220][26310645] command: C CAPABILITY

[2019.09.20] 03:37:20.896 [192.168.60.220][26310645] response: * CAPABILITY IMAP4rev1 AUTH=CRAM-MD5 AUTH=PLAIN UIDPLUS QUOTA XLIST CHILDREN ENABLE IDLE STARTTLS

[2019.09.20] 03:37:20.896 [192.168.60.220][26310645] response: C OK CAPABILITY completed

[2019.09.20] 03:37:20.896 [192.168.60.220][26310645] command: L AUTHENTICATE LOGIN

[2019.09.20] 03:37:20.927 [192.168.60.220][26310645] disconnected at 20.09.2019 03:37:20

 

I hope I explained my setup so it's kinda understandable. I'm not good at explaining things :)

 

Thank you for your help!

 

root@mailfront-01:~# dovecot --version

2.3.7.2 (3c910f64b)

 

 

Sébastien RICCIO

SYSTEM ADMINISTRATOR

 

Reply | Threaded
Open this post in threaded view
|

Re: Dovecot proxying to some backend using LOGIN proxy_mech

Dovecot mailing list
In reply to this post by Dovecot mailing list


On 21/09/2019 12:32, Sébastien Riccio via dovecot wrote:

>
> Hellolist,
>
> I am currently testing a setup for a PoC wit this configuration.
>
> - 1 x Frontend dovecot for proxying IMAP/POP3/LMTP/ManageSieve/Submission
>
> - 2 x Backend dovecot with local mail storage
>
> The frontend does the user authentification and communicate with the
> backends using a master password
>
> The fronted accepts PLAIN and LOGIN auth mechanisms and talk with
> backends using PLAIN auth mechanism (with the master password).
>
> This works very well, it's cool.
>
> Then, I've added to this setup an existing mail server (running
> another mailserver software) as a 3rd backend, and would like the
> frontend to also proxy for this, but this time not using master password.
>
> This is working for IMAP/POP3 when it uses PLAIN auth, but not for
> Submission. The backend server in this case only accepts LOGIN auth
> and not PLAIN on port 587.
>
> So I found out there is a field in the passdb we can add (proxy_mech),
> and I've set it to LOGIN.
>
> The frontend seems to now use LOGIN auth mech to talk to this 3rd
> backend, but the authentication still fails.
>
> According to the backend logs, tt seems dovecot proxy is now using
> LOGIN auth, but sends garbage as username and/or password.
>
> Also IMAP that was working when using PLAIN doesn't work anymore with
> LOGIN.
>

The Dovecot proxy is not strictly meant for proxying towards something
other than Dovecot and you seem to have stumbled upon a bug/design
flaw/protocol deviation in the client-side SASL LOGIN mechanism. An
initial SASL response is sent (empty) even though the LOGIN mechanism
doesn't define one.

Regards,

Stephan.



> Might this be a bug or this setup shouldn't be supported at all ?
>
> Passdb MySQL table on frontend:
>
> mysql> describe users;
>
> +-------------+--------------+------+-----+---------+-------+
>
> | Field       | Type         | Null | Key | Default | Extra |
>
> +-------------+--------------+------+-----+---------+-------+
>
> | user        | varchar(255) | NO   | PRI | NULL    |       |
>
> | domain      | varchar(255) | NO   | PRI | NULL    |       |
>
> | password    | varchar(255) | YES  |     | NULL    |       |
>
> | displayname | varchar(255) | YES  |     | NULL    |       |
>
> | host        | varchar(16)  | NO   |     | NULL    |       |
>
> | usemaster   | tinyint(1)   | NO   |     | 1       |       |
>
> | proxy_mech  | varchar(20)  | YES  |     | NULL    |       |
>
> | starttls    | varchar(20)  | YES  |     | NULL    |       |
>
> +-------------+--------------+------+-----+---------+-------+
>
> mailstore-01/02 are dovecot backends
>
> otherhost is the other mailserver I also would like to proxy through
> dovecot proxy
>
> +---------+-----------------+-----------------------------------------+----------------+--------------+-----------+------------+----------+
>
> | user    | domain          | password                               
> | displayname    | host         | usemaster | proxy_mech | starttls |
>
> +---------+-----------------+-----------------------------------------+----------------+--------------+-----------+------------+----------+
>
> | user1   | somedomain.com  | {SHA512-CRYPT}<some_crypted_pass>      
> | Joe Black | mailstore-01 |         1 | NULL       | NULL     |
>
> | user2   | otherdomain.com | {SHA512-CRYPT}<some_crypted_pass>      
> | Mr. Smith | mailstore-02 |         1 | NULL       | NULL     |
>
> | user3   | area13.com      | NULL                                   
> | Donald Duck    | otherhost    |         0 | LOGIN      | any-cert |
>
> | user4   | area13.com      | NULL                                   
> | Thanks Obama   | otherhost    |         0 | LOGIN      | any-cert |
>
> +---------+-----------------+-----------------------------------------+----------------+--------------+-----------+------------+----------+
>
> Passdb query :
>
> password_query = \
>
>   SELECT concat(user, '@', domain) AS user, password, host, 'Y' AS
> proxy, \
>
>     IF(usemaster is TRUE, 'supermasteruserl', NULL) as master, \
>
>     IF(usemaster is TRUE, 'supermasterpassword', pass) as pass, \
>
>     IF(usemaster is FALSE, 'Y', NULL) as nopassword, \
>
>     proxy_mech, \
>
>     starttls \
>
>     FROM users WHERE user = '%n' AND domain = '%d'
>
> Some questions I'm asking myself:
>
> Is proxying using LOGIN proxy_mech supported at all to auth on backends ?
>
> Is dovecot proxying to "otherhost" supposed to decode original client
> auth (using PLAIN) and translate it to LOGIN format to auth with
> "otherhost" ?
>
> # otherhost port 587 log
>
> Without specifying proxy_mech
>
> [2019.09.19] 09:27:22.167 [192.168.60.220][3070269] cmd: EHLO
> dovecotproxy.local.domain
>
> [2019.09.19] 09:27:22.167 [192.168.60.220][3070269] rsp:
> 250-dovecotproxy.local.domain Hello [192.168.60.220]250-SIZE
> 52428800250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250-DSN250 OK
>
> [2019.09.19] 09:27:22.167 [192.168.60.220][3070269] cmd: AUTH PLAIN
> <base64string>
>
> [2019.09.19] 09:27:22.167 [192.168.60.220][3070269] rsp: 504
> Unrecognized authentication type.
>
> When using proxy_mech LOGIN
>
> [2019.09.20] 08:24:45.201 [192.168.60.220][24148464] cmd: AUTH LOGIN =
>
> [2019.09.20] 08:24:45.201 [192.168.60.220][24148464] Exception: The
> input is not a valid Base-64 string as it contains a non-base 64
> character, more than two padding characters, or an illegal character
> among the padding characters.
>
> [2019.09.20] 08:24:45.201 [192.168.60.220][24148464] rsp: 535
> Authentication failed
>
> # otherhost port 143 log
>
> Works without specyfing proxy_mech
>
> When using proxy_mech LOGIN (fails)
>
> [2019.09.20] 03:37:20.896 [192.168.60.220][26310645] connected at
> 20.09.2019 03:37:20
>
> [2019.09.20] 03:37:20.896 [192.168.60.220][26310645] command: C CAPABILITY
>
> [2019.09.20] 03:37:20.896 [192.168.60.220][26310645] response: *
> CAPABILITY IMAP4rev1 AUTH=CRAM-MD5 AUTH=PLAIN UIDPLUS QUOTA XLIST
> CHILDREN ENABLE IDLE STARTTLS
>
> [2019.09.20] 03:37:20.896 [192.168.60.220][26310645] response: C OK
> CAPABILITY completed
>
> [2019.09.20] 03:37:20.896 [192.168.60.220][26310645] command: L
> AUTHENTICATE LOGIN
>
> [2019.09.20] 03:37:20.927 [192.168.60.220][26310645] disconnected at
> 20.09.2019 03:37:20
>
> I hope I explained my setup so it's kinda understandable. I'm not good
> at explaining things :)
>
> Thank you for your help!
>
> root@mailfront-01:~# dovecot --version
>
> 2.3.7.2 (3c910f64b)
>
> *Sébastien RICCIO*
>
> *SYSTEM ADMINISTRATOR*
>