* dovecot fronting for public-inbox-imapd + private mail groups?
@ 2022-12-21 18:35 Chris Brannon
2022-12-21 19:54 ` Eric Wong
0 siblings, 1 reply; 5+ messages in thread
From: Chris Brannon @ 2022-12-21 18:35 UTC (permalink / raw)
To: meta
Perhaps this is a better question for the dovecot list, but I'll throw
it out here in case someone else has dealt with this scenario.
I self-host email, so I'm already running dovecot. I also want to
publish some public-inbox archives over IMAP that are available to the
world, with anonymous access. I essentially just have one public IPv4
address, so I'm limited to one public-facing IMAP server.
What I'd like to do is proxy all access to groups in the inbox.*
namespace to public-inbox-imapd, and open those up for anonymous access.
Everything else would remain private, requiring credentials.
Can it be done? Are there better ways to do it? In an ideal world,
everyone would be using IPv6 by now and this wouldn't be an issue.
-- Chris
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: dovecot fronting for public-inbox-imapd + private mail groups?
2022-12-21 18:35 dovecot fronting for public-inbox-imapd + private mail groups? Chris Brannon
@ 2022-12-21 19:54 ` Eric Wong
2022-12-21 21:07 ` Chris Brannon
0 siblings, 1 reply; 5+ messages in thread
From: Eric Wong @ 2022-12-21 19:54 UTC (permalink / raw)
To: Chris Brannon; +Cc: meta
Chris Brannon <chris@the-brannons.com> wrote:
> Perhaps this is a better question for the dovecot list, but I'll throw
> it out here in case someone else has dealt with this scenario.
>
> I self-host email, so I'm already running dovecot. I also want to
> publish some public-inbox archives over IMAP that are available to the
> world, with anonymous access. I essentially just have one public IPv4
> address, so I'm limited to one public-facing IMAP server.
I'm in the same situation. My current workaround is to run my
personal IMAP stuff on a different port and keep 993+143 for
public-inbox-imapd.
> What I'd like to do is proxy all access to groups in the inbox.*
> namespace to public-inbox-imapd, and open those up for anonymous access.
> Everything else would remain private, requiring credentials.
I know nginx can support IMAP proxying, but I'm not sure if it
can decide on backend based on usernames or inboxes. Would
appreciate an example config if you figure it out.
> Can it be done? Are there better ways to do it? In an ideal world,
> everyone would be using IPv6 by now and this wouldn't be an issue.
I'm already planning on adding support for HTTP proxying, so
IMAP proxying wouldn't be too big a step.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: dovecot fronting for public-inbox-imapd + private mail groups?
2022-12-21 19:54 ` Eric Wong
@ 2022-12-21 21:07 ` Chris Brannon
2022-12-22 10:55 ` Chris Brannon
0 siblings, 1 reply; 5+ messages in thread
From: Chris Brannon @ 2022-12-21 21:07 UTC (permalink / raw)
To: Eric Wong; +Cc: meta
Eric Wong <e@80x24.org> writes:
> I'm in the same situation. My current workaround is to run my
> personal IMAP stuff on a different port and keep 993+143 for
> public-inbox-imapd.
I thought about that and initially decided not to go that route, because
4 client configurations would need to be changed. FWIW another option
occurred to me just now: only allowing access to the private IMAP server
over wireguard. That has the added benefit of being more secure, and I
might do it for that reason alone.
> I know nginx can support IMAP proxying, but I'm not sure if it
> can decide on backend based on usernames or inboxes.
I totally forgot about nginx's mail proxy support. It turns out that
for IMAP (and even POP3), nginx can handle the authentication too, and
it can use the result of authentication to select a given backend
server. Nginx does its authentication by sending a request to an HTTP
endpoint defined in the config. The protocol uses some custom HTTP
headers. It can even rate-limit on failed auth attempts. This looks
very flexible.
It's all quite doable, and I'll be happy to share my config and endpoint code
once I have something.
-- Chris
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: dovecot fronting for public-inbox-imapd + private mail groups?
2022-12-21 21:07 ` Chris Brannon
@ 2022-12-22 10:55 ` Chris Brannon
2022-12-22 11:38 ` Eric Wong
0 siblings, 1 reply; 5+ messages in thread
From: Chris Brannon @ 2022-12-22 10:55 UTC (permalink / raw)
To: Eric Wong; +Cc: meta
Well, nginx as a mail proxy looks promising, but it doesn't yet work
with public-inbox-imapd. Nginx sends the authentication information as
synchronizing literals [RFC9051, section 4.3].
So the login sequence looks similar to this example lifted from RFC9051
section 7.6:
C: A001 LOGIN {11}
S: + Ready for additional command text
C: FRED FOOBAR {7}
S: + Ready for additional command text
C: fat man
S: A001 OK LOGIN completed
I could potentially look into working up a patch, though my Perl is
rusty and more than 15 years out of practice.
-- Chris
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: dovecot fronting for public-inbox-imapd + private mail groups?
2022-12-22 10:55 ` Chris Brannon
@ 2022-12-22 11:38 ` Eric Wong
0 siblings, 0 replies; 5+ messages in thread
From: Eric Wong @ 2022-12-22 11:38 UTC (permalink / raw)
To: Chris Brannon; +Cc: meta
Chris Brannon <chris@the-brannons.com> wrote:
> Well, nginx as a mail proxy looks promising, but it doesn't yet work
> with public-inbox-imapd. Nginx sends the authentication information as
> synchronizing literals [RFC9051, section 4.3].
Oops, yeah... public-inbox-imapd doesn't yet support most uses
of synchronizing literals since it's mostly for read-only stuff
which clients will send in a line-oriented way.
> So the login sequence looks similar to this example lifted from RFC9051
> section 7.6:
>
> C: A001 LOGIN {11}
> S: + Ready for additional command text
> C: FRED FOOBAR {7}
> S: + Ready for additional command text
> C: fat man
> S: A001 OK LOGIN completed
>
> I could potentially look into working up a patch, though my Perl is
> rusty and more than 15 years out of practice.
I would probably adapt the existing HTTP psgi.input logic for
dealing with them. But no worries, I should be able to handle
it. I'd have to support them eventually if I turn lei into a
localhost-only R/W IMAP server.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-12-22 11:38 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-12-21 18:35 dovecot fronting for public-inbox-imapd + private mail groups? Chris Brannon
2022-12-21 19:54 ` Eric Wong
2022-12-21 21:07 ` Chris Brannon
2022-12-22 10:55 ` Chris Brannon
2022-12-22 11:38 ` Eric Wong
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).