Nginx configuration for imap
Naresh V
nareshov at gmail.com
Mon Mar 22 21:55:39 EDT 2010
On 23 March 2010 03:18, Bron Gondwana <brong at fastmail.fm> wrote:
> On Mon, Mar 22, 2010 at 01:52:55PM +0000, Naresh V wrote:
>> Bron Gondwana <brong <at> fastmail.fm> writes:
>>
>> [...]
>> >
>> > Why does the auth fail on the backend server? It never should. If it does
>> > that means you've screwed up pretty badly. You can give the failure from
>> > nginx by just passing an Auth-Status header.
>> >
>>
>> It fails on the backend server when the password that went in in the first place
>> is wrong.
>>
>> I think nginx is at fault here since it considers the AUTHENTICATIONFAILED
>> response from the (dovecot) IMAP server as an invalid response.
>>
>> 2010/03/22 13:36:27 [info] 19575#0: *2 client <IP1> connected to 0.0.0.0:143
>> 2010/03/22 13:36:34 [error] 19575#0: *1 upstream sent invalid response: "NO
>> [AUTHENTICATIONFAILED] Authentication failed."while reading response from
>> upstream, client: 127.0.0.1, server: 0.0.0.0:143, login: "email at domain.com",
>> upstream: yy.yy.yy.yy:143
>>
>> (telnet session:
>>
>> * OK IMAP4 ready
>> a login email at domain.com wrongpassword
>> * BAD internal server error
>> Connection closed by foreign host.
>> )
>>
>> Email clients such as thunderbird 3 or opera's M2 have trouble making sense of
>> such behaviour by nginx and don't even attempt to pop up the authentication
>> dialog box again.
>
> What on earth is your nginx authentication agent doing withat that login?
> Is it returning "this password is correct"? No wonder nginx is confused.
> You're _supposed_ to be checking the password before it gets passed to the
> backend.
>
> Make a proper nginx authentication agent and you'll be fine.
>
Nginx isn't returning 'this password is incorrect", it only says "BAD
internal server error" and interrupts the connection with the client
instead of relaying back the actual AUTHENTICATIONFAILED message from
the actual IMAP server. I get properly authenticated by the actual
IMAP server when I _do_ provide the real password and I'm able to see
my mails. (See attached image).
My nginx agent is only playing the role of a redirector. It examines
the incoming username, which is in the form of 'user at domain1.com' and
looks it up in the DB to find out which backend IMAP server this
user's mails are present in and returns the appropriate server in
Auth-Server.
-N
p.s. http://nginx.org/pipermail/nginx/attachments/20090905/685e1310/attachment.png
More information about the Info-cyrus
mailing list