Discussion:
How to configure dovecot imap to listen on multiple ports?
Rick Thomas
2014-08-24 20:45:33 UTC
Permalink
I need my dovecot imap server to listen on ports 143, 993, and also 30143 and 30993.

What syntax do I use in (I presume) the /etc/dovecot/conf.d/10-master.conf file to do this?


Thanks!


Rick
Reindl Harald
2014-08-24 20:59:05 UTC
Permalink
Post by Rick Thomas
I need my dovecot imap server to listen on ports 143, 993, and also 30143 and 30993.
no idea what that should gain
Post by Rick Thomas
What syntax do I use in (I presume) the /etc/dovecot/conf.d/10-master.conf file to do this?
but try to duplicate thes settings

(no i don't use "conf.d" directorys anywhere for good reasons)

# configure imap-proxy
service imap-login {
inet_listener imap {
address = *
port = 143
}
inet_listener imaps {
address = *
port = 993
}
vsz_limit = 64M
service_count = 1
process_min_avail = 0
process_limit = 100
}

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140824/e16b9a9a/attachment.sig>
Rick Thomas
2014-08-24 21:26:04 UTC
Permalink
Post by Reindl Harald
Post by Rick Thomas
I need my dovecot imap server to listen on ports 143, 993, and also 30143 and 30993.
no idea what that should gain
I have a dovecot imap server inside a NAT/firewall.

The NAT translates calls to port 30143 and 30993 (not the real ports, but just for example) coming from outside to 143 and 993 inside. So machines outside the NAT that want to talk to the server use ports 30xxx and machines inside the NAT use the regular ports.

Which works fine for machines that are at fixed locations. But a laptop that?s sometimes inside, sometimes outside doesn?t have a fixed port to connect to. For those cases, I?d like the dovecot server to recognize the outside ports on the inside.
Post by Reindl Harald
Post by Rick Thomas
What syntax do I use in (I presume) the /etc/dovecot/conf.d/10-master.conf file to do this?
but try to duplicate these settings
(no i don't use "conf.d" directorys anywhere for good reasons)
# configure imap-proxy
service imap-login {
inet_listener imap {
address = *
port = 143
}
inet_listener imaps {
address = *
port = 993
}
vsz_limit = 64M
service_count = 1
process_min_avail = 0
process_limit = 100
}
Can I have multiple ?service? clauses for the same service? Each with a different port?
Or multiple ?inet_listener imap?/?inet_listener imaps? clauses?
Or should I have something like this?
port = 143,30143
Jochen Bern
2014-08-25 12:26:53 UTC
Permalink
Post by Rick Thomas
But a laptop that?s sometimes inside, sometimes outside doesn?t have
a fixed port to connect to. For those cases, I?d like the dovecot
server to recognize the outside ports on the inside.
Well, if offering the *exact same* functionality on a second port is all
that needs to be done, having the server's host firewall (iptables?)
duplicate the NAT on your border firewall for internal accesses should
do just fine; no need to majick it into the dovecot config (which opens
the possibility of functional differences being introduced unintentionally).

Assuming Red Hat or similar with no conflicting iptables rules (yet),

# iptables -t nat -A PREROUTING -p tcp --dport 30xxx -j DNAT --to :143
# iptables -t nat -A PREROUTING -p tcp --dport 30yyy -j DNAT --to :993
# service iptables save

Regards,
J. Bern
--
*NEU* - NEC IT-Infrastruktur-Produkte im <http://www.linworks-shop.de/>:
Server--Storage--Virtualisierung--Management SW--Passion for Performance
Jochen Bern, Systemingenieur --- LINworks GmbH <http://www.LINworks.de/>
Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt
PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27
Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202
Unternehmenssitz Weiterstadt, Gesch?ftsf?hrer Metin Dogan, Oliver Michel
Gedalya
2014-08-25 12:38:19 UTC
Permalink
Well, if offering the*exact same* functionality on a second port is all
that needs to be done, having the server's host firewall (iptables?)
duplicate the NAT on your border firewall for internal accesses should
do just fine; no need to majick it into the dovecot config (which opens
the possibility of functional differences being introduced unintentionally).
Assuming Red Hat or similar with no conflicting iptables rules (yet),
# iptables -t nat -A PREROUTING -p tcp --dport 30xxx -j DNAT --to :143
# iptables -t nat -A PREROUTING -p tcp --dport 30yyy -j DNAT --to :993
# service iptables save
Regards,
Since you're redirecting to a port on the same host, the following is
perhaps more correct:

iptables -t nat -A PREROUTING -p tcp --dport 30143 -j REDIRECT --to-port 143
Rick Thomas
2014-08-25 20:30:10 UTC
Permalink
Thanks! Gedalya and Jochen!

I hadn?t realized I could do that with iptables. I?ll read-up on the documentation.

Rick
Post by Gedalya
Well, if offering the*exact same* functionality on a second port is all
that needs to be done, having the server's host firewall (iptables?)
duplicate the NAT on your border firewall for internal accesses should
do just fine; no need to majick it into the dovecot config (which opens
the possibility of functional differences being introduced unintentionally).
Assuming Red Hat or similar with no conflicting iptables rules (yet),
# iptables -t nat -A PREROUTING -p tcp --dport 30xxx -j DNAT --to :143
# iptables -t nat -A PREROUTING -p tcp --dport 30yyy -j DNAT --to :993
# service iptables save
Regards,
iptables -t nat -A PREROUTING -p tcp --dport 30143 -j REDIRECT --to-port 143
Jochen Bern
2014-08-25 21:17:12 UTC
Permalink
Post by Gedalya
Post by Jochen Bern
Assuming Red Hat or similar with no conflicting iptables rules (yet),
# iptables -t nat -A PREROUTING -p tcp --dport 30xxx -j DNAT --to :143
Since you're redirecting to a port on the same host, the following is
iptables -t nat -A PREROUTING -p tcp --dport 30143 -j REDIRECT --to-port 143
The operational word being "perhaps". My approach will break if the
server does any forwarding, yours will break if dovecot listens only on
a secondary IP address, or at least that's what the manpage I grabbed
Post by Gedalya
REDIRECT
[...] It redirects the packet to the machine itself by changing the
^^^^^^^^^^^^
Post by Gedalya
destination IP to the primary address of the incoming interface
^^^^^^^^^^^^^^^^^^^^^^#######^^^^^^^^
Post by Gedalya
(locally-generated packets are mapped to the 127.0.0.1 address).
Regards,
J. Bern
--
*NEU* - NEC IT-Infrastruktur-Produkte im <http://www.linworks-shop.de/>:
Server--Storage--Virtualisierung--Management SW--Passion for Performance
Jochen Bern, Systemingenieur --- LINworks GmbH <http://www.LINworks.de/>
Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt
PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27
Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202
Unternehmenssitz Weiterstadt, Gesch?ftsf?hrer Metin Dogan, Oliver Michel
Gedalya
2014-08-25 22:01:39 UTC
Permalink
This post might be inappropriate. Click to display it.
Gedalya
2014-08-25 12:34:53 UTC
Permalink
Post by Rick Thomas
Can I have multiple ?service? clauses for the same service? Each with a different port?
Or multiple ?inet_listener imap?/?inet_listener imaps? clauses?
Or should I have something like this?
port = 143,30143
This works:

service imap-login {
inet_listener imap {
port = 143
}
inet_listener imap2 {
port = 144
}
#inet_listener imaps {
# port = 993
# ssl = yes
#}
}
Rick Thomas
2014-08-25 20:31:01 UTC
Permalink
OK, project for today: Give this a try?

Rick
Post by Reindl Harald
Post by Rick Thomas
Can I have multiple ?service? clauses for the same service? Each with a different port?
Or multiple ?inet_listener imap?/?inet_listener imaps? clauses?
Or should I have something like this?
port = 143,30143
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imap2 {
port = 144
}
#inet_listener imaps {
# port = 993
# ssl = yes
#}
}
Rick Thomas
2014-09-26 07:08:14 UTC
Permalink
I'm running Debian Wheezy with Dovecot version 2.1.7. The following works for me:

------------- /etc/dovecot/local.conf -----------
service imap-login {
inet_listener imap {
#port = 143
}
inet_listener imaps {
port = 7993
ssl = yes
}
inet_listener imaps2 {
port = 993
ssl = yes
}

# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
# is faster. <doc/wiki/LoginProcess.txt>
#service_count = 1

# Number of processes to always keep waiting for more connections.
#process_min_avail = 0

# If you set service_count=0, you probably need to grow this.
#vsz_limit = $default_vsz_limit
}
------------- /etc/dovecot/local.conf -----------

Thanks for all the help!

Rick

Loading...