Dovecot IMAP authenticating proxy using Kerberos/GSSAPI

dovecot kerberos imap gssapi

Solution 1:

Set the passdb attrs to include pass=master password. Dovecot needs a password to try against the proxy. With GSSAPI it obviously doesn't have one, so provide your master password (or with kopano you can put anything if you have bypass_auth set). See Dovecot Docs, specifically the section "master password".

Solution 2:

Got it to work in the end with the hints by Alex in the other answer and some final help on the Dovecot mailing list where Timo - the Dovecot original author - responded.

Full example of a dovecot.conf below. The main trick is the full args line in the passdb section. Without password=something or nopassword=y, it thinks mail is locally stored and proxying isn't turned on and you'll see an error Error: mail_location not set and autodetection failed: Mail storage autodetection failed with home=(not set). More small caveats inline in the comments.

protocols = imap

passdb {
  driver = static
  args = proxy=y host=127.0.0.1 port=1143 pass=masterpass nopassword=y
}

# Deliberately omitted userdb, because this is a proxy.

# Kerberos authentication settings
auth_mechanisms = gssapi
auth_gssapi_hostname = mailhost.mydomain.tld
auth_realms = MY-REALM.DOMAIN.TLD
auth_default_realm = MY-REALM.DOMAIN.TLD
# This keytab file contains keys for principal imap/[email protected]
# Unlike SSL keys/certs, do not use '= <', but plain '=' to path of file.
auth_krb5_keytab = /etc/dovecot/imap.keytab
# Pass only local username part to the backend.
auth_username_format = %n

# Logging to foreground with some verbose logging for authentication.
log_path = /dev/stderr
auth_verbose = yes

# Require StartTLS or plain TLS for any interaction.
ssl = required
ssl_cert = </path/to/cert.crt
ssl_key = </path/to/key.pem
ssl_prefer_server_ciphers = yes
ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

The log will then show:

imap-login: Info: proxy(username): started proxying to 127.0.0.1:1143: user=<username>, method=GSSAPI, rip=1.2.3.4, lip=9.9.9.9, TLS, session=<iJvnvg6P8KEKAAYE>

Related

apt-get install giving 404
Domain Pointing
Windows File sharing using Active Directory Groups
ASPX throws "404 The resource cannot be found"
methods of prevent a user (or group) to be able to login
GRUB for windows while not having a Linux root partition?
DHCP DDNS not working for Linux clients
Apache Failover and Load Balancing [duplicate]
MS Active Directory as a simple LDAP server
Alternatives for enabling SSL on EC2
Is there a way to change the serial number in SQL server without reinstalling it?
Procmail: Pipe to Program, Otherwise Return Error to Sender