On Jun 1, 2008, at 11:30 PM, Lyndon Nerenberg wrote:
> On 2008-Jun-1, at 12:20 , Timo Sirainen wrote:
>
>> The idea would be that there's a frontend IMAP proxy that looks up
>> the
>> backend IMAP server based on the username, tells the backend server
>> the
>> user's IP and then logs in using the provided user+password.
>> Currently
>> the IP isn't forwarded, so some IP-based user access checks don't
>> work.
>
> Why can't you do the access checks at the front-end server? You're
> already going out-of-band to discover which back-end server to use.
> You're already passing the account name, so why not also pass the
> network address and do the access check there?
Well, that's a good question. :) Actually Dovecot already allows doing
the check on the frontend, but it's also possible to do it on the
backend as well. I don't know why the people who originally requested
this feature don't want to do this on the frontend, but I can think of
at least one specific use case:
Backends all share the mailbox data using NFS, so it's not critical
which is the destination server. It's just better from performance
point of view that simultaneous connections from the same user are
directed to the same server. So the backend server lookup could be as
simple as md5(username) MOD number_of_servers (or maybe something a
bit more complex but still not an external expensive up-to-date
database lookup).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 201 bytes
Desc: This is a digitally signed message part
URL: <http://mailman13.u.washington.edu/pipermail/imap-protocol/attachments/20080601/7b6cfa4a/attachment.sig>