Dovecot IMAP authenticating proxy using Kerberos/GSSAPI

Question

I'm trying to set up Dovecot as authenticating reverse proxy, in front of an already running IMAP server to accomplish the following:

• Have Dovecot authenticate users using Kerberos/GSSAPI (to allow Single-Sign-On).
• If properly authenticated, have Dovecot proxy to the existing IMAP server with the authenticated username using the regular AUTH=PLAIN method, but with a random/empty password. I want exactly that, since I will have the backend IMAP server trust the authenticating proxy, but it still requires a PLAIN IMAP login with a dummy password.

How far did I get?

• I know how to configure Dovecot to authenticate using Kerberos/GSSAPI: https://wiki.dovecot.org/Authentication/Kerberos
• I know how to configure Dovecot to proxy to a backend IMAP server: https://wiki.dovecot.org/PasswordDatabase/ExtraFields/Proxy

The main challenge I'm dealing with, is the combination of the two. The Kerberos/GSSAPI authentication page starts off with this:

The Kerberos authentication mechanism doesn't require having a passdb, but you do need a userdb so Dovecot can lookup user-specific information, such as where their mailboxes are stored.

Well, this reads like a double anti-feature to me: I need a passdb to proxy in the first place, and I don't want it to be aware of "such as where their mailboxes are stored", as it should just proxy everything onto the backend server.

So, could anyone point me into the right direction here?

(I'm just starting with Dovecot, so please bear with me. Also, it's not a requirement to use Dovecot, by the way. The IMAP server I use as backend is Kopano Gateway, which seems to lack SSO support, but it does let me bypass password authentication.)

Answer 1

Set the passdb attrs to include pass=master password. Dovecot needs a password to try against the proxy. With GSSAPI it obviously doesn't have one, so provide your master password (or with kopano you can put anything if you have bypass_auth set). See Dovecot Docs, specifically the section "master password".

Answer 2

Got it to work in the end with the hints by Alex in the other answer and some final help on the Dovecot mailing list where Timo - the Dovecot original author - responded.

Full example of a dovecot.conf below. The main trick is the full args line in the passdb section. Without password=something or nopassword=y, it thinks mail is locally stored and proxying isn't turned on and you'll see an error Error: mail_location not set and autodetection failed: Mail storage autodetection failed with home=(not set). More small caveats inline in the comments.

protocols = imap

passdb {
  driver = static
  args = proxy=y host=127.0.0.1 port=1143 pass=masterpass nopassword=y
}

# Deliberately omitted userdb, because this is a proxy.

# Kerberos authentication settings
auth_mechanisms = gssapi
auth_gssapi_hostname = mailhost.mydomain.tld
auth_realms = MY-REALM.DOMAIN.TLD
auth_default_realm = MY-REALM.DOMAIN.TLD
# This keytab file contains keys for principal imap/mailhost.mydomain.tld@MY-REALM.DOMAIN.TLD
# Unlike SSL keys/certs, do not use '= <', but plain '=' to path of file.
auth_krb5_keytab = /etc/dovecot/imap.keytab
# Pass only local username part to the backend.
auth_username_format = %n

# Logging to foreground with some verbose logging for authentication.
log_path = /dev/stderr
auth_verbose = yes

# Require StartTLS or plain TLS for any interaction.
ssl = required
ssl_cert = </path/to/cert.crt
ssl_key = </path/to/key.pem
ssl_prefer_server_ciphers = yes
ssl_min_protocol = TLSv1.2
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

The log will then show:

imap-login: Info: proxy(username): started proxying to 127.0.0.1:1143: user=<username>, method=GSSAPI, rip=1.2.3.4, lip=9.9.9.9, TLS, session=<iJvnvg6P8KEKAAYE>