On Jun 1, 2008, at 11:30 PM, Lyndon Nerenberg wrote:

> On 2008-Jun-1, at 12:20 , Timo Sirainen wrote:
>
>> The idea would be that there's a frontend IMAP
proxy that looks up  
>> the
>> backend IMAP server based on the username, tells
the backend server  
>> the
>> user's IP and then logs in using the provided
user+password.  
>> Currently
>> the IP isn't forwarded, so some IP-based user
access checks don't  
>> work.
>
> Why can't you do the access checks at the front-end
server? You're  
> already going out-of-band to discover which back-end
server to use.  
> You're already passing the account name, so why not
also pass the  
> network address and do the access check there?

Well, that's a good question.  Actually
Dovecot already allows doing  
the check on the frontend, but it's also possible to do it
on the  
backend as well. I don't know why the people who originally
requested  
this feature don't want to do this on the frontend, but I
can think of  
at least one specific use case:

Backends all share the mailbox data using NFS, so it's not
critical  
which is the destination server. It's just better from
performance  
point of view that simultaneous connections from the same
user are  
directed to the same server. So the backend server lookup
could be as  
simple as md5(username) MOD number_of_servers (or maybe
something a  
bit more complex but still not an external expensive
up-to-date  
database lookup).


_______________________________________________
Imap-protocol mailing list
Imap-protocolu.washington.edu
https://mailman1.u.washington.edu/mailman/listin
fo/imap-protocol