dovecot fronting for public-inbox-imapd + private mail groups?

dovecot fronting for public-inbox-imapd + private mail groups?

[Chris Brannon]

Perhaps this is a better question for the dovecot list, but I'll throw
it out here in case someone else has dealt with this scenario.

I self-host email, so I'm already running dovecot.  I also want to
publish some public-inbox archives over IMAP that are available to the
world, with anonymous access.  I essentially just have one public IPv4
address, so I'm limited to one public-facing IMAP server.

What I'd like to do is proxy all access to groups in the inbox.*
namespace to public-inbox-imapd, and open those up for anonymous access.
Everything else would remain private, requiring credentials.

Can it be done?  Are there better ways to do it?  In an ideal world,
everyone would be using IPv6 by now and this wouldn't be an issue.

-- Chris

Re: dovecot fronting for public-inbox-imapd + private mail groups?

[Eric Wong]

Chris Brannon <chris@the-brannons.com> wrote:
> Perhaps this is a better question for the dovecot list, but I'll throw
> it out here in case someone else has dealt with this scenario.
> 
> I self-host email, so I'm already running dovecot.  I also want to
> publish some public-inbox archives over IMAP that are available to the
> world, with anonymous access.  I essentially just have one public IPv4
> address, so I'm limited to one public-facing IMAP server.

I'm in the same situation.  My current workaround is to run my
personal IMAP stuff on a different port and keep 993+143 for
public-inbox-imapd.

> What I'd like to do is proxy all access to groups in the inbox.*
> namespace to public-inbox-imapd, and open those up for anonymous access.
> Everything else would remain private, requiring credentials.

I know nginx can support IMAP proxying, but I'm not sure if it
can decide on backend based on usernames or inboxes.  Would
appreciate an example config if you figure it out.

> Can it be done?  Are there better ways to do it?  In an ideal world,
> everyone would be using IPv6 by now and this wouldn't be an issue.

I'm already planning on adding support for HTTP proxying, so
IMAP proxying wouldn't be too big a step.

Re: dovecot fronting for public-inbox-imapd + private mail groups?

[Chris Brannon]

Eric Wong <e@80x24.org> writes:

> I'm in the same situation.  My current workaround is to run my
> personal IMAP stuff on a different port and keep 993+143 for
> public-inbox-imapd.

I thought about that and initially decided not to go that route, because
4 client configurations would need to be changed.  FWIW another option
occurred to me just now: only allowing access to the private IMAP server
over wireguard.  That has the added benefit of being more secure, and I
might do it for that reason alone.

> I know nginx can support IMAP proxying, but I'm not sure if it
> can decide on backend based on usernames or inboxes.

I totally forgot about nginx's mail proxy support.  It turns out that
for IMAP (and even POP3), nginx can handle the authentication too, and
it can use the result of authentication to select a given backend
server.  Nginx does its authentication by sending a request to an HTTP
endpoint defined in the config.  The protocol uses some custom HTTP
headers.  It can even rate-limit on failed auth attempts.  This looks
very flexible.

It's all quite doable, and I'll be happy to share my config and endpoint code
once I have something.

-- Chris

Re: dovecot fronting for public-inbox-imapd + private mail groups?

[Chris Brannon]

Well, nginx as a mail proxy looks promising, but it doesn't yet work
with public-inbox-imapd.  Nginx sends the authentication information as
synchronizing literals [RFC9051, section 4.3].

So the login sequence looks similar to this example lifted from RFC9051
section 7.6:

     C: A001 LOGIN {11}
     S: + Ready for additional command text
     C: FRED FOOBAR {7}
     S: + Ready for additional command text
     C: fat man
     S: A001 OK LOGIN completed

I could potentially look into working up a patch, though my Perl is
rusty and more than 15 years out of practice.

-- Chris

Re: dovecot fronting for public-inbox-imapd + private mail groups?

[Eric Wong]

Chris Brannon <chris@the-brannons.com> wrote:
> Well, nginx as a mail proxy looks promising, but it doesn't yet work
> with public-inbox-imapd.  Nginx sends the authentication information as
> synchronizing literals [RFC9051, section 4.3].

Oops, yeah...  public-inbox-imapd doesn't yet support most uses
of synchronizing literals since it's mostly for read-only stuff
which clients will send in a line-oriented way.

> So the login sequence looks similar to this example lifted from RFC9051
> section 7.6:
> 
>      C: A001 LOGIN {11}
>      S: + Ready for additional command text
>      C: FRED FOOBAR {7}
>      S: + Ready for additional command text
>      C: fat man
>      S: A001 OK LOGIN completed
> 
> I could potentially look into working up a patch, though my Perl is
> rusty and more than 15 years out of practice.

I would probably adapt the existing HTTP psgi.input logic for
dealing with them.  But no worries, I should be able to handle
it.  I'd have to support them eventually if I turn lei into a
localhost-only R/W IMAP server.