Hi List,
I have a dovecot which proxies to different backends depending on an entry in a
mysql-database. The mysql-query sets ‚ssl‘ to ‚any-cert‘ and this works fine.
But this causes me a problem: sieve-backends only support STARTTLS and if I set
‚ssl‘ to ‚any-cert‘ (or yes), it will attempt a TLS-connection to the
sieve-backends, which fails.
My attempt was to alter the query to include %{real_lport} and return ‚ssl=no‘
and ‚starttls=any-cert‘ if the port matches the sieve-port. It works as
expected in that it returns the correct values and proxies to the correct
backend.
However it seems that TLS is no longer working and I get timeouts from the
backends.
Debug: client passdb out: OK 1 [email protected] proxy
proxy_nopipelining=y host=backend1.example.com nodelay=y nologin
starttls=no ssl=any-cert hostip=so.me.i.p pass=<hidden>
results in:
Sep 17 11:08:47 imapproxy1 dovecot: imap-login: Error:
proxy([email protected]): Login for so.me.i.p:993 timed out in state=/none
(after 30 secs, local=lo.cal.i.p:60524): user=<[email protected]>,
method=PLAIN, rip=re.mo.te.ip, lip=lo.cal.i.p, TLS,
session=<OySXgw12auwgARYIAAYABwAAAAAAAwAU>
My query looks like this:
password_query = SELECT host from proxy_domain, NULL as password, 'y' as
nopassword, 'y' as proxy, NULL as destuser, 'y' as proxy_nopipelining, 'y' as
nodelay, 'y' as nologin, IF(%{real_lport}=4190, 'any-cert', 'no') as
'starttls', IF(%{real_lport}<>4190, 'any-cert', 'no') as 'ssl‘;
As soon as I remove the starttls-part and the passdb only returns ssl=any-cert
(without starttls=no) it works flawlessly.
Is it possible that I am attacking the problem the wrong way? Or is it not
possible to set both starttls and ssl to some values in passdb and
enable/disable them as needed?
Thanks for any input :)
Cheers,
Filias
