Non-transparent to users User "freddy" server1? User "paula" server3? Use DNS CNAMES to associate users to servers client IMAP server a-f.example.net IMAP server g-m.example.net IMAP server n-z.example.net
retrieves username 01 login [email protected] secret Proxy looks up username in "map" Optional: authentication Optional: translate username Map returns address of back-end IMAP server Proxy hands off connection to IMAP server (out) and authenticates with target server lookup client IMAP server IMAP server IMAP server IMAP proxy map
servers at will Migrate users from server1 to serverN Synthetic usernames on IMAP servers Different ways of lookup up users (DB, LDAP, etc.) Consolidate heterogenous brands of IMAP servers Integrate monitoring to provide access to available IMAP servers only Central logging Disadvantages Additional code Possible single point of failure Load-balance / heartbeat
query them before login List capabilities of your IMAP server $ openssl s_client -connect imap.gmail.com:993 * OK ready for requests 01 capability * CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA XLIST CHILDREN XYZZY 01 OK Thats all she wrote! Adapt proxy’s CAPABILITY to common denominator client IMAP proxy Lotus Domino Dovecot Cyrus CAPABILITY
per connection Can bridge between SSL/TLS and plain back-ends Perdition can authenticate user locally if compiled with PAM support Supported lookups: CDB, GDBM, BDB, MySQL, PostgresSQL, LDAP, NIS, regex Custom C function Username replacement No support for CRAM-MD5
Data SELECT * FROM users; +------+------------------+------+ | user | servername | port | +------+------------------+------+ | sue | localhost | NULL | | jane | [email protected] | 143 | +------+------------------+------+
Attributes returned from search new username (optional), server, port (optional) perdition.schema has a structural objectclass dn: uid=jane, o=example.net objectClass: uidObject objectClass: perditionPopmap uid: jane username: s009 mailhost: example.org port: 143 Can use mailHost from inetLocalMailRecipient
that" Data Look up user in map int dbserver_get(const char *key, \ const char *options_str, char **str_return, \ int *len_return) Initialize / Terminate int dbserver_init(char *options_str) int dbserver_fini(void) Make gcc -shared $(L).c -L/usr/lib -o $(L).so
hosts User has mail on >= 2 hosts Custom Perdition database map Retrieves username Finds user’s back-end IMAP servers (cldbdir.nsf) Attempts TCP connect Fails over to backup server Returns first live server to Perdition Perdition connects to that IMAP server LDAP socket() client Perdition Domino Domino Domino
IMAP/POP3 and SMTP proxy created by Igor Sysoev for rambler.ru Fixed process pool and non-blocking code Powers WordPress, Github, Ohloh, SourceForge, ... Doesn’t require special database or LDAP schema POST to a URL to do authentication/authorization via HTTP or UNIX socket Authorization / authentication Apache, NGINX (HTTP), Lighttpd, ..., thttpd NGINX Web server is built-in FastCGI Embedded Perl
request to URL via POST or UNIX socket Auth back-end looks up user (optionally password, etc.) Auth back-end determines target server/port Auth back-end passes data back to NGINX NGINX proxies connection to user’s IMAP/POP3 server:port (optionally using new credentials) NGINX IMAP proxy IMAP IMAP IMAP HTTP process IMAP client headers
imap HTTP_HOST: nano.mens.de HTTP_CLIENT_IP: 192.168.1.154 HTTP_AUTH_METHOD: plain HTTP_AUTH_USER: [email protected] HTTP_AUTH_PASS: seacret HTTP_AUTH_LOGIN_ATTEMPT: 2 HTTP_YY_AUTH: jp-mysecret Authmethod CRAM-MD5 sets salt and HMAC-MD5 hashed password (need cleartext on server to verify and hand back to NGINX) HTTP_AUTH_METHOD = cram-md5 HTTP_AUTH_SALT = <[email protected]> HTTP_AUTH_PASS = 1b0864a115d8ae5f3562e3bc7d05cb59
Courier IMAP ISP: 10 Perdition, 10 M POP3/IMAP connections/day NGINX fastmail.fm: 10,000 connections on 10% CPU (3.2 GHZ Xeon) (FastMail.fm moved from Perdition to NGINX)
coding Perdition’s custom functions allow complex setups NGINX as IMAP/POP3 proxy requires custom code Consider using memcached for caching "expensive" user-lookups Integrate your monitoring system to influence choice of target IMAP server