Table of Contents
The Courier IMAP and POP3 servers now include a built-in proxy aggregator. With a proxy aggregator, the mail accounts are split between multiple, independent servers, with an IMAP/POP3 server running on each individual server. A separate, proxy server sits in front and accepts ordinary IMAP and POP3 connections. It reads the login ID, determines which server the account is located on, connects to the server, and logs in. Then, for the lifetime on the login session the front-end server takes itself out of the loop, and forwards all session traffic between the IMAP/POP3 client, and the back-end server.
The Courier
mail server can operate in IMAP/POP3 proxy mode only
when the Courier Authentication Library uses the
userdb,
LDAP,
MySQL, or the
PostgreSQL authentication module.
Challenge-Response (CRAM) authentication
will also work with the
LDAP,
MySQL, or the
PostgreSQL authentication module.
Yes, CRAM authentication will work (except for userdb).
Follow the regular installation instructions to set up
The Courier
mail server with the actual mail accounts.
The proxy feature uses the “account options” feature of the
Courier Authentication Library,
specifically an option called “mailhost”.
Account option configuration process depends on the authentication module.
With userdb, account options are specified by the
“options” userdb attribute:
userdb user@example.com set options=mailhost=servera.example.com
Instructions for setting up account options with
LDAP,
MySQL, or
PostgreSQL, may be found in the appropriate configuration
file. Briefly:
In authldaprc, put
“LDAP_AUXOPTIONS<TAB>mailhost=mailhost”,
then populate the “mailhost” LDAP attribute
(this may entail modifications of the LDAP schema).
In authmysqlrc, put
“MYSQL_AUXOPTIONS<TAB>CONCAT("mailhost=",mailhost)”
(or modify the existing MYSQL_AUXOPTIONS setting
accordingly), then create a “mailhost” column in the account
table.
In authpgsqlrc, put
“PGSQL_AUXOPTIONS<TAB>'mailhost=' || mailhost”
(or append ",mailhost=" || mailhost
to an existing setting),
then create a “mailhost” column in the account
table.
The “mailhost” option for each account should be the name of
the server where that account is located.
If possible, this should match, exactly,
the PROXY_HOSTNAME environment variable or the value
returned by the “gethostname” on the server.
The final step is to set “IMAP_PROXY” and/or
“POP3_PROXY” to “1” in the
imapd and/or the pop3d
configuration file, in the Courier configuration file directory on
the proxy server.
It is possible to have both the proxy server, and the back-end servers with the actual accounts, read the same configuration file that enables proxying. Ordinarily, if the back-end server also has the proxy setting turned on, it will also attempt to establish a proxy connection (to itself; lather, rinse, repeat until the server runs out of sockets).
However, if the “mailhost” option matches the server's hostname, as returned by “gethostname”, no proxying takes place. Therefore, if specific attention and care is made, when setting up the server names and account options, all servers can boot off the same configuration file.
If the server names are set up properly, it's possible to set things up without a dedicated front-end proxy aggregator server. All mail accounts are divided between a pool of servers, who are just one, big, happy family. IMAP and POP3 clients can connect to any server, at random. If they try to log into an account that happens to reside on the same box, then everything will be ready to go. If not, the server automatically opens a proxy connection to the right box, and everything will be ready to go as well.
Both servers involved in a proxy connections should be running the same version of the Courier IMAP/POP3 server. The proxy code included in the Courier-IMAP package tarball will talk to the server from the Courier-MTA package tarball that includes the same build of the IMAP daemon, and vice-versa. Run “imapd --version” to determine the build of the IMAP daemon.
All servers
MUST
use the same identical imapd
and pop3d configuration files (with the possible
exception of the proxy flag).
The next section explains why.
It should generally be possible to have the The Courier IMAP/POP3 server establish a proxy connection to some other third party, non-Courier, IMAP or POP3 server. Of course, the Courier Authentication Library running on the proxy server must have the same understanding of the account names and passwords as the other IMAP/POP3 server. The main issue is the different levels of protocol implementations.
Both the IMAP and POP3 protocols have optional features that different servers may or may not implement. Some servers will implement certain optional features of the IMAP or POP3 protocol; other servers will implement different features parts.
When the IMAP/POP3 client connects to the server, the client typically obtains the list of available optional features. After logging in, the client will have no reason to expect that it's now talking to a different server with a different set of protocol features. Therefore, it may not be possible to use a Courier proxy with some other IMAP/POP3 server that implements a widely different set of features. This may work with some clients, that don't make use of optional features; while other clients will report strange, or unpredictable errors.
In some cases, setting the IMAP_PROXY_FOREIGN flag,
in
the imapd configuration file, may help.
This command will send a message to the IMAP client explicitly informing
the client that the list of available protocol features has changed;
however some clients may ignore or not implement this particular message.
There is no equivalent POP3 command.
As previously mentioned the IMAP/POP3 clients may use any supported authentication method, including CRAM authentication (in most cases), with or without encryption, to log in. However, Courier will always use plain userid/password authentication, without encryption, to establish proxy connections. When using a different server, that server must be configured to allow plain userid/password authentication.
Note that the default configuration of the UW-IMAP
server requires encryption, and refuses non-encrypted connections.
Proxy connections are presumably carried over a private network, and
there is no reason to use encryption.
Therefore, the UW-IMAP server will have to be
re-configured to allow non-encrypted connections, if it's to be used
with Courier in proxy mode.