Remote dovecot proxy server for client SMTP, IMAP and POP


Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"


Top Level » Email » Dovecot

Remote dovecot proxy server for client SMTP, IMAP and POPLast Modified: Jun 29, 2019, 6:06 am
Lets say you have multiple DA boxes.
You want all of your clients to use one centralized mail server to connect to for sending SMTP emails with SMTP auth, webmail acecss, as well as IMAP/POP acecss to their inboxes.

Overview

  • Box A will be defined as the main hosting box where DirectAdmin and email data is all stored
  • Box B is the proxy server which does not require DA. It has a copy of the /etc/virtual/domain.com/passwd file for proxying things back to box A.
  • Email to outside server, (eg: gmail.com) still leaves from box A.
  • Clients connect to box B for sending with SMTP, and downloading IMAP/POP, even though they could in theory still use A if they needed to (just omit that info from them to avoid confusion).
  • This is not "Mail Clustering which would do everything on box B, data saved on B. Mail Clustering would be where DA on A manages accounts/passwords through DA on B, and exim/dovecot on B do everything. Clients only connect to B.   Mail Clustering is not what this guide is for, only "Dovecot Proxy", where it's a single front-end (B) for other DA boxes(A1, A2, A3, etc).

Installation


Sound good?  Here's how:
           
  1. Box A

    We need the main host box to be changed slightly:                        
                                     
    1. Relating to this feature which adds the system "username" account to the virtual passwd files, add this to the directadmin.conf:

      system_user_to_virtual_passwd=1

    2.                        
    3. Relating to this feature which adds extra proxy info into the virtual password files, add this to the directadmin.conf:

      dovecot_proxy=1

    4. Rewrite all email passwd files to have the new settings, run this as root:

      echo "action=rewrite&value=email_passwd" >> /usr/local/directadmin/data/task.queue

    5. Add IP of your Box B to /etc/virtual/proxy_hosts_ip, update exim configuration, make sure eximconf_release is set to at least 4.5, because only 4.5.15 started to support dovecot proxy feature:

      cd /usr/local/directadmin/custombuild
      ./build update
      ./build set eximconf yes
      ./build eximconf

    6. Backup your current /etc/dovecot directroy from box A, as we'll copy it over to B:

      cd /etc
      tar cvzf /var/www/html/secretfile.tar.gz dovecot --exclude='dovecot/conf/sni'


      Don't forget to delete this file when you've done everything.
    7. Allow proxy IP to be overridden with a real client IP in Dovecot:

      login_trusted_networks=PROXY_SERVER_IP > /etc/dovecot/conf.d/99-trusted-ips.conf
      service dovecot restart

    This will enable proper formatting of virtual user files, so that it could be interpreted by dovecot and connection would be forwarded to a correct host
  2. Box B

    A clean OS without DA installation could be used. Add an official Dovecot repository and install Dovecot using yum/apt-get/pkg. Ensure that at least 2.3 version of dovecot is installed. If your repo does not provide this or later release follow the guidelines about adding required repo to your package manager: https://repo.dovecot.org
    1. Backup existing dovecot configuration directory:

      mv /etc/dovecot /etc/dovecot_conf_orig


    2.        
    3. Copy /etc/dovecot configuration directory from any DA server, let's use the one we created from step 1b:

      cd /etc
      wget 1.2.3.4/secretfile.tar.gz
      tar xvzf secretfile.tar.gz

    4. Ensure that submission is amongst the enabled protocols in /etc/dovecot/conf/protocols.conf:

      protocols = imap pop3 lmtp submission

    5. Copy additional config from original dovecot:

      cp -n /etc/dovecot_conf_orig/conf.d/20-submission.conf /etc/dovecot/conf.d/

    6. Modify /etc/dovecot/conf.d/20-submission.conf:

      submission_relay_host = 127.0.0.1
      submission_relay_port = 10025
      submission_relay_ssl = starttls
      submission_relay_ssl_verify = no

    7. Copy or create SSL certificate/key:

      /etc/exim.crt
      /etc/exim.key

    8. Enable/restart dovecot service, eg:

      systemctl daemon-reload
      systemctl enable dovecot.service
      service dovecot start

    9. To enable submission on ports 25/465 (if needed, because it listens on port 587 by default), add the following to /etc/dovecot/dovecot.conf:

      auth_mechanisms = plain login
      service submission-login {
       inet_listener submission_25 {
         port = 25
       }
       inet_listener submission_465 {
         port = 465
         ssl = yes
       }
      }

    10. If outbound firewall is enabled please allow access to 10025/TCP.
  3. Now we need to sync /etc/virtual/*/passwd files from every DA server to the proxy server (proxy server can fetch it from DA server as well, but it's more secure to do it vice-versa)
    For example, we could use the following cronjob:

    rsync -avt --include "*/" --include="passwd" --exclude="*" --prune-empty-dirs /etc/virtual/ root@PROXY_SERVER_IP:/etc/virtual/



    Proxy server just needs /etc/virtual/domain.com/passwd to work, so, overwritten domains/domainowners files will not cause any problems.

© 2018 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST