29
29
proxying to specified remote host (host isn't self) or to let director
30
30
assign a backend host (host is self). So basically this setting just
31
31
always sends the 'proxy' extra field to login process, but not
32
necessarily the 'host'.
32
necessarily the 'host'. Useful when dividing users across multiple
33
34
* 'host=s': The destination server's *IP address*. This field is required.
34
35
* 'port=s': The destination server's port. The default is 143 with IMAP and
39
40
You can use SSL/TLS connection to destination server by returning:
41
* ssl=yes: Use SSL and require a valid verified remote certificate. *WARNING:
42
Unless used carefully, this is an insecure setting!* Before
42
* 'ssl=yes': Use SSL and require a valid verified remote certificate.
43
*WARNING: Unless used carefully, this is an insecure setting!* Before
43
44
v2.0.16/v2.1.beta1 the host name isn't checked in any way against the
44
45
certificate's CN. The only way to use this securely is to only use and allow
45
46
your own private CA's certs, anything else is exploitable by a
46
47
man-in-the-middle attack.
47
* ssl=any-cert: Use SSL, but don't require a valid remote certificate.
48
* starttls: Use STARTTLS command instead of doing SSL handshake immediately
48
* 'ssl=any-cert': Use SSL, but don't require a valid remote certificate.
49
* 'starttls': Use STARTTLS command instead of doing SSL handshake immediately
50
* starttls=any-cert: Combine starttls and ssl=any-cert.
51
* 'starttls=any-cert': Combine starttls and ssl=any-cert.
51
52
* Additionally you can also tell Dovecot to send SSL client certificate to the
52
53
remote server using 'ssl_client_cert' and 'ssl_client_key' settings in
53
54
'dovecot.conf' (v2.0.17+).
56
Set 'login_trusted_networks' to point to the proxies in the backends. This way
57
you'll get the clients' actual IP addresses logged instead of the proxy's.
55
59
The destination servers don't need to be running Dovecot, but you should make
56
60
sure that the Dovecot proxy doesn't advertise more capabilities than the
57
61
destination server can handle. For IMAP you can do this by changing