> On 10/02/2020 19:17 Bjoern Jacke <lists2...@j3e.de> wrote: > > > Hi Aki, > > On 10.02.20 17:03, Aki Tuomi wrote: > > Try setting > > > > login_trusted_networks = lb-ip/32 > > > > See > > https://doc.dovecot.org/settings/dovecot_core_settings/#login-trusted-networks > > I do have login-trusted_networks set already. Along with the proxy > protocol (haproxy_trusted_networks = lb-ip) I had to set > login_trusted_networks to 0.0.0.0/0 actually because the proxy protocol > tells dovecot the real clients' IP address and that IP adders is the one > actually evaluated for login_trusted_networks. With the plain > authentication being done inside the load balancer's TLS connection this > is more or less obvious that this is needed in that case. > > But those settings don't change the pity: ssl=no is globally required to > make the starttls options disappear for imap-login - but with ssl=no > globally I don't see a possibility to enable the starttls option for > other services like managesieve for example. > > Thanks > Björn
With haproxy you need to - configure HAproxy to use PROXYv1 or PROXYv2 to protocol to pass connections details to dovecot. With recent enough dovecot, you can include TLS information with haproxy to dovecot. - configure login_trusted_networks and haproxy_trusted_networks - set 'haproxy=yes' to the listener you are connecting with haproxy, so dovecot knows to expect and parse the proxy protocol. Aki
