使用 Kerberos/GSSAPI 的 Dovecot IMAP 身份验证代理

Question 1

设置 passdb 属性以包含pass=主密码。Dovecot 需要密码才能尝试代理。使用 GSSAPI 显然没有密码，因此请提供您的主密码（或者使用 kopano，如果您已bypass_auth设置，则可以输入任何密码）。请参阅Dovecot 文档，特别是“主密码”部分。

Answer

设置 passdb 属性以包含pass=主密码。Dovecot 需要密码才能尝试代理。使用 GSSAPI 显然没有密码，因此请提供您的主密码（或者使用 kopano，如果您已bypass_auth设置，则可以输入任何密码）。请参阅Dovecot 文档，特别是“主密码”部分。

Question 2

最后用Alex 在另一个答案中给出的提示和一些最后的帮助在 Dovecot 邮件列表中，Dovecot 原作者 Timo 做出了回应。

下面是完整的示例dovecot.conf。主要技巧是节args中的整行passdb。没有password=something 或者 nopassword=y，它会认为邮件存储在本地，并且代理未打开，因此您会看到错误Error: mail_location not set and autodetection failed: Mail storage autodetection failed with home=(not set)。评论中内联了更多小警告。

protocols = imap

passdb {
  driver = static
  args = proxy=y host=127.0.0.1 port=1143 pass=masterpass nopassword=y
}

# Deliberately omitted userdb, because this is a proxy.

# Kerberos authentication settings
auth_mechanisms = gssapi
auth_gssapi_hostname = mailhost.mydomain.tld
auth_realms = MY-REALM.DOMAIN.TLD
auth_default_realm = MY-REALM.DOMAIN.TLD
# This keytab file contains keys for principal imap/[email protected]
# Unlike SSL keys/certs, do not use '= <', but plain '=' to path of file.
auth_krb5_keytab = /etc/dovecot/imap.keytab
# Pass only local username part to the backend.
auth_username_format = %n

# Logging to foreground with some verbose logging for authentication.
log_path = /dev/stderr
auth_verbose = yes

# Require StartTLS or plain TLS for any interaction.
ssl = required
ssl_cert = </path/to/cert.crt
ssl_key = </path/to/key.pem
ssl_prefer_server_ciphers = yes
ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

然后日志将显示：

imap-login: Info: proxy(username): started proxying to 127.0.0.1:1143: user=<username>, method=GSSAPI, rip=1.2.3.4, lip=9.9.9.9, TLS, session=<iJvnvg6P8KEKAAYE>

Answer

最后用Alex 在另一个答案中给出的提示和一些最后的帮助在 Dovecot 邮件列表中，Dovecot 原作者 Timo 做出了回应。

下面是完整的示例dovecot.conf。主要技巧是节args中的整行passdb。没有password=something 或者 nopassword=y，它会认为邮件存储在本地，并且代理未打开，因此您会看到错误Error: mail_location not set and autodetection failed: Mail storage autodetection failed with home=(not set)。评论中内联了更多小警告。

protocols = imap

passdb {
  driver = static
  args = proxy=y host=127.0.0.1 port=1143 pass=masterpass nopassword=y
}

# Deliberately omitted userdb, because this is a proxy.

# Kerberos authentication settings
auth_mechanisms = gssapi
auth_gssapi_hostname = mailhost.mydomain.tld
auth_realms = MY-REALM.DOMAIN.TLD
auth_default_realm = MY-REALM.DOMAIN.TLD
# This keytab file contains keys for principal imap/[email protected]
# Unlike SSL keys/certs, do not use '= <', but plain '=' to path of file.
auth_krb5_keytab = /etc/dovecot/imap.keytab
# Pass only local username part to the backend.
auth_username_format = %n

# Logging to foreground with some verbose logging for authentication.
log_path = /dev/stderr
auth_verbose = yes

# Require StartTLS or plain TLS for any interaction.
ssl = required
ssl_cert = </path/to/cert.crt
ssl_key = </path/to/key.pem
ssl_prefer_server_ciphers = yes
ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

然后日志将显示：

imap-login: Info: proxy(username): started proxying to 127.0.0.1:1143: user=<username>, method=GSSAPI, rip=1.2.3.4, lip=9.9.9.9, TLS, session=<iJvnvg6P8KEKAAYE>

使用 Kerberos/GSSAPI 的 Dovecot IMAP 身份验证代理

答案1

答案2

相关内容