Proxying
========

Dovecot supports proxying IMAP, POP3 and <LMTP.txt> connections to other hosts.
The proxying can be done for all users, or only for some specific users. There
are two ways to do the authentication:

 1. Forward the password to the remote server. The proxy may or may not perform
    authentication itself. This requires that the client uses only plaintext
    authentication, or alternatively the proxy has access to users' passwords
    in plaintext.
 2. Let Dovecot proxy perform the authentication and login to remote server
    using the proxy's <master password> [MasterPassword.txt]. This allows
    client to use also non-plaintext authentication.

The proxy is configured pretty much the same way as <login referrals>
[PasswordDatabase.ExtraFields.Host.txt], with the addition of 'proxy' field.
The common fields to use for both proxying ways are:

 * 'proxy' and 'proxy_maybe': Enables the proxying. Either one of these fields
   is required.
    * 'proxy_maybe' can be used to implement "automatic proxying". If the proxy
      destination matches the current connection, the user gets logged in
      normally instead of being proxied. If the same happens with 'proxy', the
      login fails with "Proxying loops" error.
       * 'proxy_maybe' with LMTP requires v2.1.0+
       * 'proxy_maybe' with 'host=<dns name>' requires v2.1.2+.
    * 'proxy_always' can be used with 'proxy_maybe' to conditionally do
      proxying to specified remote host (host isn't self) or to let director
      assign a backend host (host is self). So basically this setting just
      always sends the 'proxy' extra field to login process, but not
      necessarily the 'host'. Useful when dividing users across multiple
      director clusters.
 * 'host=s': The destination server's *IP address*. This field is required.
 * 'port=s': The destination server's port. The default is 143 with IMAP and
   110 with POP3.
 * 'destuser=s': Tell client to use a different username when logging in.
 * 'proxy_timeout': Abort connection after this many seconds.

You can use SSL/TLS connection to destination server by returning:

 * 'ssl=yes': Use SSL and require a valid verified remote certificate.
   *WARNING: Unless used carefully, this is an insecure setting!* Before
   v2.0.16/v2.1.beta1 the host name isn't checked in any way against the
   certificate's CN. The only way to use this securely is to only use and allow
   your own private CA's certs, anything else is exploitable by a
   man-in-the-middle attack.
 * 'ssl=any-cert': Use SSL, but don't require a valid remote certificate.
 * 'starttls': Use STARTTLS command instead of doing SSL handshake immediately
   after connected.
 * 'starttls=any-cert': Combine starttls and ssl=any-cert.
 * Additionally you can also tell Dovecot to send SSL client certificate to the
   remote server using 'ssl_client_cert' and 'ssl_client_key' settings in
   'dovecot.conf' (v2.0.17+).

Set 'login_trusted_networks' to point to the proxies in the backends. This way
you'll get the clients' actual IP addresses logged instead of the proxy's.

The destination servers don't need to be running Dovecot, but you should make
sure that the Dovecot proxy doesn't advertise more capabilities than the
destination server can handle. For IMAP you can do this by changing
'imap_capability' setting. For POP3 you'll have to modify Dovecot's sources for
now ('src/pop3/capability.h'). Dovecot also automatically sends updated
untagged CAPABILITY reply if it detects that the remote server has different
capabilities than what it already advertised to the client, but some clients
simply ignore the updated CAPABILITY reply.

Password forwarding
-------------------

If you don't want proxy itself to do authentication, you can configure it to
succeed with any given password. You can do this by returning an empty password
and 'nopassword' field.

Master password
---------------

This way of forwarding requires the destination server to support master user
feature. The users will be normally authenticated in the proxy and the common
proxy fields are returned, but you'll need to return two fields specially:

 * 'master=s': This contains the master username (e.g. "proxy"). It's used as
   SASL auhentication ID.
    * Alternatively you could return 'destuser=user*master' and set
      'auth_master_user_separator = *'.
 * 'pass=s': This field contains the master user's password.

See <Authentication.MasterUsers.txt> for more information how to configure
this.

Example password forwarding SQL configuration
---------------------------------------------

Create the SQL table:

---%<-------------------------------------------------------------------------
CREATE TABLE proxy (
  user varchar(255) NOT NULL,
  host varchar(16) default NULL,
  destuser varchar(255) NOT NULL default '',
  PRIMARY KEY  (user)
);
---%<-------------------------------------------------------------------------

Insert data to SQL corresponding your users.

Working data could look like this:
+------+-------------+-----------------+
| user | host        | destuser        |
+------+-------------+-----------------+
| john | 192.168.0.1 |                 |
+------+-------------+-----------------+
| joe  | 192.168.0.2 | joe@example.com |
+------+-------------+-----------------+

The important parts of 'dovecot.conf':

---%<-------------------------------------------------------------------------
# If you want to trade a bit of security for higher performance, change these
settings:
service imap-login {
  service_count = 0
}
service pop3-login {
  service_count = 0
}

# If you are not moving mailboxes between hosts on a daily basis you can
# use authentication cache pretty safely.
auth_cache_size = 4096

auth_mechanisms = plain
passdb {
  driver = sql
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
}
---%<-------------------------------------------------------------------------

The important parts of 'dovecot-sql.conf.ext':

---%<-------------------------------------------------------------------------
driver = mysql
connect = host=sqlhost1 host=sqlhost2 dbname=mail user=dovecot password=secret
password_query = SELECT NULL AS password, 'Y' as nopassword, host, destuser,
'Y' AS proxy FROM proxy WHERE user = '%u'
---%<-------------------------------------------------------------------------

Example proxy_maybe SQL configuration
-------------------------------------

Create the SQL table:

---%<-------------------------------------------------------------------------
CREATE TABLE users (
  user varchar(255) NOT NULL,
  domain varchar(255) NOT NULL,
  password varchar(100) NOT NULL,
  host varchar(16) NOT NULL,
  home varchar(100) NOT NULL,
  PRIMARY KEY (user)
);
---%<-------------------------------------------------------------------------

The important parts of 'dovecot.conf':

---%<-------------------------------------------------------------------------
# user/group who owns the message files:
mail_uid = vmail
mail_gid = vmail

auth_mechanisms = plain

passdb {
  driver = sql
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
}
userdb sql {
  driver = sql
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
}
---%<-------------------------------------------------------------------------

The important parts of 'dovecot-sql.conf.ext':

---%<-------------------------------------------------------------------------
driver = mysql

password_query = \
  SELECT concat(user, '@', domain) AS user, password, host, 'Y' AS proxy_maybe
\
  FROM users WHERE user = '%n' AND domain = '%d'

user_query = SELECT user AS username, domain, home \
  FROM users WHERE user = '%n' AND domain = '%d'
---%<-------------------------------------------------------------------------

Example proxy LDAP configuration
--------------------------------

see: <PasswordDatabase.ExtraFields.txt> for more information, and a worked out
example

(This file was created from the wiki on 2013-11-24 04:42)