summaryrefslogtreecommitdiffstats
path: root/doc/wiki/PasswordDatabase.ExtraFields.Host.txt
blob: 3a822c277809fba5e6c953bb4d64ca987f64ea47 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
Login referrals
===============

Login referrals are an IMAP extension specified by RFC 2221
[https://tools.ietf.org/html/rfc2221]. Their purpose is to redirect clients to
an different IMAP4 server in case of hardware failures or organizational
changes. No client action is needed to invoke the LOGIN-REFERRALS capability:
the redirection is triggered by the server and occurs transparently.

A security consideration is in order. As also stated by RFC 2221, a man in the
middle attack may use a rogue 'password catching' server to collectlogin data
and redirect your clients to their own rogue IMAP4 server. Although this would
be avoided by enforcing SSL/TLS. Login referrals are not supported by many
clients, so you probably don't want to use them anyway.

Dovecot does not use login referrals by default.

Configuration
-------------

Note that the "host" field is also used by <proxying>
[PasswordDatabase.ExtraFields.Proxy.txt]. Login referrals are used only if the
proxy field isn't set.

Login referrals can be used in two ways:

 1. Tell the client to log into another server without allowing to log in
    locally.
 2. Suggest the client to log into another server, but log it in anyway.

The following fields can be used to configure login referrals:

 * 'host=s': The destination server's hostname. This field is required for
   login referrals to be used.
 * 'port=s': The destination server's port. The default is 143.
 * 'destuser=s': Tell client to use a different username when logging in.
 * 'reason=s': Optional reason to use as the reply to the login command. The
   default is "Logged in, but you should use this server instead."

Using the above settings you can suggest client to log in elsewhere. To require
it, you'll also have to return:

 * 'nologin': User is not allowed to log in.
 * 'reason=s': Optional reason. The default is "Try this server instead.".

Client support
--------------

The following clients are known to support login referrals:

 * Pine
 * Outlook (but not Outlook Express)

Examples
--------

Forward user to another server after successful authentication:

---%<-------------------------------------------------------------------------
password_query = SELECT password, host, 'Y' as nologin FROM users WHERE userid
= '%u'
---%<-------------------------------------------------------------------------

Forward all users to another server without authentication:

---%<-------------------------------------------------------------------------
password_query = \
  SELECT NULL AS password, 'Y' AS nopassword \
  'imap2.example.com' AS host, \
  'This server is down, try another one.' AS reason, \
  'Y' AS nologin, \
  'Y' AS nodelay
---%<-------------------------------------------------------------------------

(This file was created from the wiki on 2019-06-19 12:42)