The problem is that due to how it was done some ages ago, the passdb
result items are treated so that presence means "use it". If you return
'proxy' it means same as 'proxy=y' or 'proxy=yes'.
We are considering on changing this so that it would actually require a
k=v type of syntax, but it's going to be a breaking change.
Aki
On 18.09.2018 11:33, Filias Heidt wrote:
> I tried some more things, such as setting starttls=NULL or ssl=NULL, which
> does the same as setting it to „no“. Interestingly, if I set ssl=NULL and
> don’t set starttls at all, it still tries an SSL connection to the backend.
>
> Is there no way to use starttls or ssl depending on a variable? It could also
> be possible that I have starttls-backends and ssl-backends which would be a
> similar use-case to my sieve-thing, I think.
>
> Cheers,
> Filias
>
>> Am 17.09.2018 um 11:54 schrieb Filias Heidt <f...@netzkommune.com>:
>>
>> Hi List,
>>
>> I have a dovecot which proxies to different backends depending on an entry
>> in a mysql-database. The mysql-query sets ‚ssl‘ to ‚any-cert‘ and this works
>> fine. But this causes me a problem: sieve-backends only support STARTTLS and
>> if I set ‚ssl‘ to ‚any-cert‘ (or yes), it will attempt a TLS-connection to
>> the sieve-backends, which fails.
>>
>> My attempt was to alter the query to include %{real_lport} and return
>> ‚ssl=no‘ and ‚starttls=any-cert‘ if the port matches the sieve-port. It
>> works as expected in that it returns the correct values and proxies to the
>> correct backend.
>>
>> However it seems that TLS is no longer working and I get timeouts from the
>> backends.
>>
>> Debug: client passdb out: OK 1 user=someu...@example.com proxy
>> proxy_nopipelining=y host=backend1.example.com nodelay=y
>> nologin starttls=no ssl=any-cert hostip=so.me.i.p pass=<hidden>
>>
>> results in:
>> Sep 17 11:08:47 imapproxy1 dovecot: imap-login: Error:
>> proxy(someu...@example.com): Login for so.me.i.p:993 timed out in
>> state=/none (after 30 secs, local=lo.cal.i.p:60524):
>> user=<someu...@example.com>, method=PLAIN, rip=re.mo.te.ip, lip=lo.cal.i.p,
>> TLS, session=<OySXgw12auwgARYIAAYABwAAAAAAAwAU>
>>
>> My query looks like this:
>> password_query = SELECT host from proxy_domain, NULL as password, 'y' as
>> nopassword, 'y' as proxy, NULL as destuser, 'y' as proxy_nopipelining, 'y'
>> as nodelay, 'y' as nologin, IF(%{real_lport}=4190, 'any-cert', 'no') as
>> 'starttls', IF(%{real_lport}<>4190, 'any-cert', 'no') as 'ssl‘;
>>
>> As soon as I remove the starttls-part and the passdb only returns
>> ssl=any-cert (without starttls=no) it works flawlessly.
>>
>> Is it possible that I am attacking the problem the wrong way? Or is it not
>> possible to set both starttls and ssl to some values in passdb and
>> enable/disable them as needed?
>>
>> Thanks for any input :)
>>
>> Cheers,
>> Filias
