imap proxy feature
Closed this issue ยท 8 comments
Hi David,
i followed your blog casifying of roundcube (http://dfwarden.blogspot.de/2012/01/cas-ifying-roundcube.html). Its very good documented, and 99% of the howto was also succesful in my case.
But on one thing i have problems. the proxy feature. you write something about the use of the proxy. But i have got no idea how to solve or implement this proxy. Or is this proxy functionality already implemented in the cas plugin for roundcube? I have searched round the web and also posted some issues on the php-cas-list, without the final success. I have searched for some proxy examples, but i failed to trick this out.
Now i have a little hope that you could give me an advice that can help me.
We are using Dovecot 2.1.3, Roundcube 0.7.2 and phpCas 1.3.1 and pam_cas 2.0.5.
I already can login to roundcube via cas. But after several minutes the ST expires and the reconnection to the imap server fails. -think thats an proxy issue-
Could you give me an advice on this, please?
Thanks
Andy
The "proxy" functionality is not in CAS or Roundcube. It is some kind of authentication caching mechanism for IMAP so the client can use the same ST as the "password" for the duration of their Roundcube session. If successfully implemented, the ST will be verified on the first authentication and cached. Subsequent pageloads will send the same ST, which will result in an authentication success because it is the same "password" the client sent when they initially connected.
Your choices are basically to use Dovecot's authentication caching feature or an intermediate caching IMAP proxy like http://imapproxy.org/. I personally use both because if you allow users to connect to Dovecot with their normal password you don't want the ST being cached as the "correct" password.
My advice? If you ONLY allow CAS authentication on this Dovecot server then enable auth caching (http://wiki2.dovecot.org/Authentication/Caching) there and you should be done. If not, implement imapproxy - configure Roundcube to connect to that proxy and configure the proxy to connect to your Dovecot server.
That was the detail which i need about the proxy. "the proxy functionality is not in CAS or Roundcube".
I forgot to say that i have already installed the imapproxy and the dovecot authentication caching, but i had not the right configuration settings. With your explanation everything was clear, and i configured the imapproxy and the dovecot auth_cache settings properly. its working fine now. Thanks very much David.
Hi dwarfden,
Do you have some example on how to configure the dovecot cache ?
Because we have two services in proxy CAS that try to get email info on dovecot, one is a portlet that get number of new email and the second is roundcube. We don't have problem with one instance of roundcube but when we go on loadbalancing the have plainty of imap error connection, with plaintext password problem.
here is our cache config
auth_cache_size = 1024
auth_cache_ttl = 3600
auth_cache_negative_ttl = 0
Thanks for your help
We have very similar settings for the auth cache. The one thing I think you
might be missing is your pam cache key in your pam passdb:
passdb {
driver = pam
args = cache_key=%u-%r-%a dovecot
}
To save you the trip to the dovecot variables wiki page, this makes our pam
cache key username-remoteip-localport. We run dovecot on multiple
non-standard ports and our portlet uses one of the nonstandard ports. This
way the service ticket the portlet passes does not interfere with the
cached password a normal IMAP client provides.
On Thu, Aug 22, 2013 at 5:15 AM, Julien Gribonvald <notifications@github.com
wrote:
Hi dwarfden,
Do you have some example on how to configure the dovecot cache ?
Because we have two services in proxy CAS that try to get email info on
dovecot, one is a portlet that get number of new email and the second is
roundcube. We don't have problem with one instance of roundcube but when we
go on loadbalancing the have plainty of imap error connection, with
plaintext password problem.here is our cache config
auth_cache_size = 1024
auth_cache_ttl = 3600
auth_cache_negative_ttl = 0Thanks for your help
โ
Reply to this email directly or view it on GitHubhttps://github.com//issues/1#issuecomment-23077409
.
thanks for your response, but I don't think the problems commes here.
We have 2 instance of roundcube (version 0.9.3) behind an apache proxy,
when i tell to set the stickysession to apache i don't get any problem on
the two instance of roundcube. But when i wan't to remove the stickysession
i'm getting a lot of problems on IMAP connection, it's like the roundcube
instance can't get the user session in DB, and each time it's a new Ticket
that's tried to be validated by pam_cas. There is something that i don't
understand, why we have a new ticket passed even with a cache with a cache
key defined with %u-%s, where %s is the ip of the apache proxy.
2013/8/27 David Warden notifications@github.com
We have very similar settings for the auth cache. The one thing I think
you
might be missing is your pam cache key in your pam passdb:passdb {
driver = pam
args = cache_key=%u-%r-%a dovecot
}To save you the trip to the dovecot variables wiki page, this makes our
pam
cache key username-remoteip-localport. We run dovecot on multiple
non-standard ports and our portlet uses one of the nonstandard ports. This
way the service ticket the portlet passes does not interfere with the
cached password a normal IMAP client provides.On Thu, Aug 22, 2013 at 5:15 AM, Julien Gribonvald <
notifications@github.comwrote:
Hi dwarfden,
Do you have some example on how to configure the dovecot cache ?
Because we have two services in proxy CAS that try to get email info on
dovecot, one is a portlet that get number of new email and the second is
roundcube. We don't have problem with one instance of roundcube but when
we
go on loadbalancing the have plainty of imap error connection, with
plaintext password problem.here is our cache config
auth_cache_size = 1024
auth_cache_ttl = 3600
auth_cache_negative_ttl = 0Thanks for your help
โ
Reply to this email directly or view it on GitHub<
https://github.com/dfwarden/Roundcube-CAS-Authn/issues/1#issuecomment-23077409>.
โ
Reply to this email directly or view it on GitHubhttps://github.com//issues/1#issuecomment-23331382
.
Ah yes I did misunderstand.
What about your PHP session/PGTIOU storage? If you don't tie a user to a
single host with something like stickysession then you'll need shared
storage for PHP sessions and PGTIOUs. We use NFS for those.
On Tue, Aug 27, 2013 at 8:37 AM, Julien Gribonvald <notifications@github.com
wrote:
thanks for your response, but I don't think the problems commes here.
We have 2 instance of roundcube (version 0.9.3) behind an apache proxy,
when i tell to set the stickysession to apache i don't get any problem on
the two instance of roundcube. But when i wan't to remove the
stickysession
i'm getting a lot of problems on IMAP connection, it's like the roundcube
instance can't get the user session in DB, and each time it's a new Ticket
that's tried to be validated by pam_cas. There is something that i don't
understand, why we have a new ticket passed even with a cache with a cache
key defined with %u-%s, where %s is the ip of the apache proxy.2013/8/27 David Warden notifications@github.com
We have very similar settings for the auth cache. The one thing I think
you
might be missing is your pam cache key in your pam passdb:passdb {
driver = pam
args = cache_key=%u-%r-%a dovecot
}To save you the trip to the dovecot variables wiki page, this makes our
pam
cache key username-remoteip-localport. We run dovecot on multiple
non-standard ports and our portlet uses one of the nonstandard ports.
This
way the service ticket the portlet passes does not interfere with the
cached password a normal IMAP client provides.On Thu, Aug 22, 2013 at 5:15 AM, Julien Gribonvald <
notifications@github.comwrote:
Hi dwarfden,
Do you have some example on how to configure the dovecot cache ?
Because we have two services in proxy CAS that try to get email info
on
dovecot, one is a portlet that get number of new email and the second
is
roundcube. We don't have problem with one instance of roundcube but
when
we
go on loadbalancing the have plainty of imap error connection, with
plaintext password problem.here is our cache config
auth_cache_size = 1024
auth_cache_ttl = 3600
auth_cache_negative_ttl = 0Thanks for your help
โ
Reply to this email directly or view it on GitHub<https://github.com/dfwarden/Roundcube-CAS-Authn/issues/1#issuecomment-23077409>
.
โ
Reply to this email directly or view it on GitHub<
https://github.com/dfwarden/Roundcube-CAS-Authn/issues/1#issuecomment-23331382>.
โ
Reply to this email directly or view it on GitHubhttps://github.com//issues/1#issuecomment-23331971
.
Yes i did it, i have a shared NFS storage for pgtiou, but when an instance
validate the pgt this one is removed from the storage and the second
instance of roundcube can't get it back, also i don't understand why
roundcube store session in database (we set the sessionid with the ST like
it's done with the plugin CAS). For you, the PGTIOU keep stored until
session end ?
2013/8/27 David Warden notifications@github.com
Ah yes I did misunderstand.
What about your PHP session/PGTIOU storage? If you don't tie a user to a
single host with something like stickysession then you'll need shared
storage for PHP sessions and PGTIOUs. We use NFS for those.On Tue, Aug 27, 2013 at 8:37 AM, Julien Gribonvald <
notifications@github.comwrote:
thanks for your response, but I don't think the problems commes here.
We have 2 instance of roundcube (version 0.9.3) behind an apache proxy,
when i tell to set the stickysession to apache i don't get any problem
on
the two instance of roundcube. But when i wan't to remove the
stickysession
i'm getting a lot of problems on IMAP connection, it's like the
roundcube
instance can't get the user session in DB, and each time it's a new
Ticket
that's tried to be validated by pam_cas. There is something that i don't
understand, why we have a new ticket passed even with a cache with a
cache
key defined with %u-%s, where %s is the ip of the apache proxy.2013/8/27 David Warden notifications@github.com
We have very similar settings for the auth cache. The one thing I
think
you
might be missing is your pam cache key in your pam passdb:passdb {
driver = pam
args = cache_key=%u-%r-%a dovecot
}To save you the trip to the dovecot variables wiki page, this makes
our
pam
cache key username-remoteip-localport. We run dovecot on multiple
non-standard ports and our portlet uses one of the nonstandard ports.
This
way the service ticket the portlet passes does not interfere with the
cached password a normal IMAP client provides.On Thu, Aug 22, 2013 at 5:15 AM, Julien Gribonvald <
notifications@github.comwrote:
Hi dwarfden,
Do you have some example on how to configure the dovecot cache ?
Because we have two services in proxy CAS that try to get email info
on
dovecot, one is a portlet that get number of new email and the
second
is
roundcube. We don't have problem with one instance of roundcube but
when
we
go on loadbalancing the have plainty of imap error connection, with
plaintext password problem.here is our cache config
auth_cache_size = 1024
auth_cache_ttl = 3600
auth_cache_negative_ttl = 0Thanks for your help
โ
Reply to this email directly or view it on GitHub<https://github.com/dfwarden/Roundcube-CAS-Authn/issues/1#issuecomment-23077409>
.
โ
Reply to this email directly or view it on GitHub<https://github.com/dfwarden/Roundcube-CAS-Authn/issues/1#issuecomment-23331382>
.
โ
Reply to this email directly or view it on GitHub<
https://github.com/dfwarden/Roundcube-CAS-Authn/issues/1#issuecomment-23331971>.
โ
Reply to this email directly or view it on GitHubhttps://github.com//issues/1#issuecomment-23333804
.
Our PGTIOUs are consumed at the same time yours are which I believe is
correct behavior.
To be honest we're still on 0.8.x (and will be turning off RC in late
September as we have migrated to Google Apps for Education) so I don't know
if something changed in 0.9 as far as sessions go but it sounds like
Roundcube is invalidating (or failing to validate) sessions started on your
other hosts. I ran in to this and it was tricky to solve because
essentially the plugin is bypassing/faking Roundcube's session init. Right
now the plugin just calls set_auth_cookie() and hopes that is enough to
create a valid session. My memory is a bit fuzzy but I believe I may have
had to set ip_check and referrer_check to false to get that part working.
I think RC stores session info in the database to avoid the shared storage
requirement if users have multiple RC hosts but yeah, it does seem a little
strange.
On Tue, Aug 27, 2013 at 10:24 AM, Julien Gribonvald <
notifications@github.com> wrote:
Yes i did it, i have a shared NFS storage for pgtiou, but when an instance
validate the pgt this one is removed from the storage and the second
instance of roundcube can't get it back, also i don't understand why
roundcube store session in database (we set the sessionid with the ST like
it's done with the plugin CAS). For you, the PGTIOU keep stored until
session end ?2013/8/27 David Warden notifications@github.com
Ah yes I did misunderstand.
What about your PHP session/PGTIOU storage? If you don't tie a user to a
single host with something like stickysession then you'll need shared
storage for PHP sessions and PGTIOUs. We use NFS for those.On Tue, Aug 27, 2013 at 8:37 AM, Julien Gribonvald <
notifications@github.comwrote:
thanks for your response, but I don't think the problems commes here.
We have 2 instance of roundcube (version 0.9.3) behind an apache
proxy,
when i tell to set the stickysession to apache i don't get any problem
on
the two instance of roundcube. But when i wan't to remove the
stickysession
i'm getting a lot of problems on IMAP connection, it's like the
roundcube
instance can't get the user session in DB, and each time it's a new
Ticket
that's tried to be validated by pam_cas. There is something that i
don't
understand, why we have a new ticket passed even with a cache with a
cache
key defined with %u-%s, where %s is the ip of the apache proxy.2013/8/27 David Warden notifications@github.com
We have very similar settings for the auth cache. The one thing I
think
you
might be missing is your pam cache key in your pam passdb:passdb {
driver = pam
args = cache_key=%u-%r-%a dovecot
}To save you the trip to the dovecot variables wiki page, this makes
our
pam
cache key username-remoteip-localport. We run dovecot on multiple
non-standard ports and our portlet uses one of the nonstandard
ports.
This
way the service ticket the portlet passes does not interfere with
the
cached password a normal IMAP client provides.On Thu, Aug 22, 2013 at 5:15 AM, Julien Gribonvald <
notifications@github.comwrote:
Hi dwarfden,
Do you have some example on how to configure the dovecot cache ?
Because we have two services in proxy CAS that try to get email
info
on
dovecot, one is a portlet that get number of new email and the
second
is
roundcube. We don't have problem with one instance of roundcube
but
when
we
go on loadbalancing the have plainty of imap error connection,
with
plaintext password problem.here is our cache config
auth_cache_size = 1024
auth_cache_ttl = 3600
auth_cache_negative_ttl = 0Thanks for your help
โ
Reply to this email directly or view it on GitHub<https://github.com/dfwarden/Roundcube-CAS-Authn/issues/1#issuecomment-23077409>
.
โ
Reply to this email directly or view it on GitHub<https://github.com/dfwarden/Roundcube-CAS-Authn/issues/1#issuecomment-23331382>
.
โ
Reply to this email directly or view it on GitHub<https://github.com/dfwarden/Roundcube-CAS-Authn/issues/1#issuecomment-23331971>
.
โ
Reply to this email directly or view it on GitHub<
https://github.com/dfwarden/Roundcube-CAS-Authn/issues/1#issuecomment-23333804>.
โ
Reply to this email directly or view it on GitHubhttps://github.com//issues/1#issuecomment-23340236
.