I'm trying to set up Dovecot as authenticating reverse proxy, in front of an already running IMAP server to accomplish the following:
- Have Dovecot authenticate users using Kerberos/GSSAPI (to allow Single-Sign-On).
- If properly authenticated, have Dovecot proxy to the existing IMAP server with the authenticated username using the regular AUTH=PLAIN method, but with a random/empty password. I want exactly that, since I will have the backend IMAP server trust the authenticating proxy, but it still requires a PLAIN IMAP login with a dummy password.
How far did I get?
- I know how to configure Dovecot to authenticate using Kerberos/GSSAPI: https://wiki.dovecot.org/Authentication/Kerberos
- I know how to configure Dovecot to proxy to a backend IMAP server: https://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy
The main challenge I'm dealing with, is the combination of the two. The Kerberos/GSSAPI authentication page starts off with this:
The Kerberos authentication mechanism doesn't require having a
passdb
, but you do need auserdb
so Dovecot can lookup user-specific information, such as where their mailboxes are stored.
Well, this reads like a double anti-feature to me: I need a passdb
to proxy in the first place, and I don't want it to be aware of "such as where their mailboxes are stored", as it should just proxy everything onto the backend server.
So, could anyone point me into the right direction here?
(I'm just starting with Dovecot, so please bear with me. Also, it's not a requirement to use Dovecot, by the way. The IMAP server I use as backend is Kopano Gateway, which seems to lack SSO support, but it does let me bypass password authentication.)
Best Answer
Set the passdb attrs to include
pass=
master password. Dovecot needs a password to try against the proxy. With GSSAPI it obviously doesn't have one, so provide your master password (or with kopano you can put anything if you havebypass_auth
set). See Dovecot Docs, specifically the section "master password".