This documentation is for Dovecot v1.x, see wiki2 for v2.x documentation.


Dovecot supports proxying IMAP and POP3 connections to other hosts. The proxying can be done for all users, or only for some specific users. There are two ways to do the authentication:

  1. Forward the password to the remote server and let it perform the actual authentication. This requires that the client uses only plaintext authentication.
  2. Let Dovecot proxy perform the authentication and login to remote server using the proxy's [wiki:MasterPassword master password]. This allows client to use also non-plaintext authentication.

The proxy is configured pretty much the same way as [wiki:PasswordDatabase/ExtraFields/Host login referrals], with the addition of proxy field. The common fields to use for both proxying ways are:

The connections created to the destination server can't be TLS/SSL encrypted.

The destination servers don't need to be running Dovecot, but you should make sure that the Dovecot proxy doesn't advertise more capabilities than the destination server can handle. For IMAP you can do this by changing imap_capability setting. For POP3 you'll have to modify Dovecot's sources for now (src/pop3/capability.h).

Password forwarding

Make sure that the authentication succeeds with any given password. You can do this by using empty passwords. v1.1+ requires also that you return nopassword field.

Master password

This way of forwarding requires the destination server to support master user feature. The users will be normally authenticated in the proxy and the common proxy fields are returned, but you'll need to return two fields specially:

For the master user logins it'd be cleaner to use a SASL mechanism with authorization ID, but for now this isn't supported.

If the destination server is Dovecot, you can return these fields like:

Then in the destination Dovecot's config file set auth_master_user_separator=* and create a master user named proxy with password secret. See MasterPassword for more information how to configure this.

Example password forwarding SQL configuration

Create the SQL table:

  user varchar(255) NOT NULL,
  host varchar(16) default NULL,
  destuser varchar(255) NOT NULL default '',
  PRIMARY KEY  (user)

Insert data to SQL corresponding your users.

Working data could look like this:






The important parts of dovecot.conf:

# If you want to trade a bit of security for higher performance, change these settings:
login_process_per_connection = no
login_processes_count = 20

# If you are not moving mailboxes from host to one on daily basis you can
# use authentication cache pretty safely.
auth_cache_size = 4096

auth default {
  mechanisms = plain

  # dovecot-auth only needs to be able to connect to SQL
  user = nobody
  # Userdb settings are not used with proxy but there need to be something.
  userdb static {
    args = uid=0 gid=0
  passdb sql {
    args = /usr/local/etc/dovecot-sql.conf

The important parts of dovecot-sql.conf:

# Database driver: mysql, pgsql
driver = mysql

# Database connect string.
# Only MySQL driver support multiple hosts for now.
connect = host=sqlhost1 host=sqlhost2 dbname=mail user=dovecot password=secret

# Query
password_query = SELECT NULL AS password, host, destuser, 'Y' AS proxy FROM proxy WHERE user = '%u'