I tried some more things, such as setting starttls=NULL or ssl=NULL, which does the same as setting it to „no“. Interestingly, if I set ssl=NULL and don’t set starttls at all, it still tries an SSL connection to the backend.
Is there no way to use starttls or ssl depending on a variable? It could also be possible that I have starttls-backends and ssl-backends which would be a similar use-case to my sieve-thing, I think. Cheers, Filias > Am 17.09.2018 um 11:54 schrieb Filias Heidt <f...@netzkommune.com>: > > Hi List, > > I have a dovecot which proxies to different backends depending on an entry in > a mysql-database. The mysql-query sets ‚ssl‘ to ‚any-cert‘ and this works > fine. But this causes me a problem: sieve-backends only support STARTTLS and > if I set ‚ssl‘ to ‚any-cert‘ (or yes), it will attempt a TLS-connection to > the sieve-backends, which fails. > > My attempt was to alter the query to include %{real_lport} and return > ‚ssl=no‘ and ‚starttls=any-cert‘ if the port matches the sieve-port. It works > as expected in that it returns the correct values and proxies to the correct > backend. > > However it seems that TLS is no longer working and I get timeouts from the > backends. > > Debug: client passdb out: OK 1 user=someu...@example.com proxy > proxy_nopipelining=y host=backend1.example.com nodelay=y > nologin starttls=no ssl=any-cert hostip=so.me.i.p pass=<hidden> > > results in: > Sep 17 11:08:47 imapproxy1 dovecot: imap-login: Error: > proxy(someu...@example.com): Login for so.me.i.p:993 timed out in state=/none > (after 30 secs, local=lo.cal.i.p:60524): user=<someu...@example.com>, > method=PLAIN, rip=re.mo.te.ip, lip=lo.cal.i.p, TLS, > session=<OySXgw12auwgARYIAAYABwAAAAAAAwAU> > > My query looks like this: > password_query = SELECT host from proxy_domain, NULL as password, 'y' as > nopassword, 'y' as proxy, NULL as destuser, 'y' as proxy_nopipelining, 'y' as > nodelay, 'y' as nologin, IF(%{real_lport}=4190, 'any-cert', 'no') as > 'starttls', IF(%{real_lport}<>4190, 'any-cert', 'no') as 'ssl‘; > > As soon as I remove the starttls-part and the passdb only returns > ssl=any-cert (without starttls=no) it works flawlessly. > > Is it possible that I am attacking the problem the wrong way? Or is it not > possible to set both starttls and ssl to some values in passdb and > enable/disable them as needed? > > Thanks for any input :) > > Cheers, > Filias