From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS3215 2.6.0.0/16 X-Spam-Status: No, score=-3.4 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,SPF_HELO_PASS, SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from hurricane.the-brannons.com (hurricane.the-brannons.com [IPv6:2602:ff06:725:1:20::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id ABFCD1F953 for ; Wed, 21 Dec 2022 21:07:53 +0000 (UTC) Authentication-Results: dcvr.yhbt.net; dkim=pass (1024-bit key; unprotected) header.d=the-brannons.com header.i=@the-brannons.com header.b="AvBid+SP"; dkim-atps=neutral DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=hurricane; bh=y6MeU8CYMn wkE1eBqnNkPV/+tdfTiBw0P8fS50wHrdw=; h=in-reply-to:date:references: subject:cc:to:from; d=the-brannons.com; b=AvBid+SP8wxdT023d8EdxV5tuM1z KZU//twlP4E9DeSihni36KFOEltL5lFrU9p+JNsgpfzSIosdOnzqRpTRmCagcTtg+SarjB ynEKOSisPcxCDxNTvXuqOzQOvwzRlDluDh5KI+ap7EysvYrJLn1ur6S0OZf3lrehCrcXk4 BkA= Received: by hurricane.the-brannons.com (OpenSMTPD) with ESMTPSA id b5b0498a (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) auth=yes user=chris; Wed, 21 Dec 2022 13:07:52 -0800 (PST) From: Chris Brannon To: Eric Wong Cc: meta@public-inbox.org Subject: Re: dovecot fronting for public-inbox-imapd + private mail groups? References: <87r0wsli5d.fsf@the-brannons.com> <20221221195421.GB5179@dcvr> Autocrypt: addr=chris@the-brannons.com; prefer-encrypt=mutual; keydata= mDMEX37pCBYJKwYBBAHaRw8BAQdASkFrVm/MHGNpj7Oa+nq4b7eBg5LX5qnvS6ojH04ZE9+0LENo cmlzdG9waGVyIEJyYW5ub24gPGNocmlzQHRoZS1icmFubm9ucy5jb20+iJAEExYIADgWIQTFfzWT HzF7+QWPg09oJ1i8YNj4egUCX37pCAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBoJ1i8 YNj4esVsAQCJXDxhj5gZjcrNMmSH6Z+X5RDdbvsTRvS5wwQXM3g4kAEAjOrdx/fvZDiKL8dylDhU YUVVSkwWeOD2UtmYjm/QtwG4OARffukIEgorBgEEAZdVAQUBAQdAOMaQorDR8QUdM34/Q9mUyBvS 9WFK0Mb76dHyNkERx2kDAQgHiHgEGBYIACAWIQTFfzWTHzF7+QWPg09oJ1i8YNj4egUCX37pCAIb DAAKCRBoJ1i8YNj4eo/8AQC4AX6NMv65KQQU7s95T/1Y4E+Z7KTbvhKJeSjdDfj88AEA/qzPnDvl dLmqqNTqsfZCK81teOxSoNhRlhWcQ8QQ/wY= Date: Wed, 21 Dec 2022 13:07:51 -0800 In-Reply-To: <20221221195421.GB5179@dcvr> (Eric Wong's message of "Wed, 21 Dec 2022 19:54:21 +0000") Message-ID: <87ili4lb2w.fsf@the-brannons.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain List-Id: Eric Wong writes: > I'm in the same situation. My current workaround is to run my > personal IMAP stuff on a different port and keep 993+143 for > public-inbox-imapd. I thought about that and initially decided not to go that route, because 4 client configurations would need to be changed. FWIW another option occurred to me just now: only allowing access to the private IMAP server over wireguard. That has the added benefit of being more secure, and I might do it for that reason alone. > I know nginx can support IMAP proxying, but I'm not sure if it > can decide on backend based on usernames or inboxes. I totally forgot about nginx's mail proxy support. It turns out that for IMAP (and even POP3), nginx can handle the authentication too, and it can use the result of authentication to select a given backend server. Nginx does its authentication by sending a request to an HTTP endpoint defined in the config. The protocol uses some custom HTTP headers. It can even rate-limit on failed auth attempts. This looks very flexible. It's all quite doable, and I'll be happy to share my config and endpoint code once I have something. -- Chris