> The idea would be that there's a frontend IMAP proxy that looks up
> the backend IMAP server based on the username, tells the backend
> server the user's IP and then logs in using the provided user+password.
We currently do this with a separate nginx process. We tell the IMAP
server the client's actual IP by having nginx do an
A001 ID ("X-ORIGINATING-IP" "<actual-client-IP>")
as the first command, before authenticating.
Since this won't work for GSSAPI, we've also extended nginx to do
GSSAPI auth locally and then use an AUTH PLAIN variant to authenticate
the server connection.