Forum: NGINX nginx imap proxy issue with imap

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
David Farrar (Guest)
on 2008-11-12 20:11
(Received via mailing list)
Hello,

We're using nginx to proxy imap connections across a number of backends.
All was fine until we introduced a new backend server running dovecot
 and discovered that we were (apparently) randomly seeing an 'internal
server error' while trying to authenticate.

The trigger for this problem seems to be dovecot sometimes returning the
string:
"* OK Waiting for authentication process to respond.."
before responding
"+ OK" to the login command.

Section 2.2.1 of rfc3501 states

  """
        It is also possible for the server to send a completion
        response for some other command (if multiple commands are
        in progress), or untagged data.  In either case, the
        command continuation request is still pending; the client
        takes the appropriate action for the response, and reads
        another response from the server.
  """

so it looks like nginx is incorrectly terminating the connection because
it read data that it didn't expect.

Has anybody else come across a similar situation and found a way to
resolve the problem?

I guess that it should be fairly trivial to just read and ignore lines
from the server until we find a line starting with the expected tag. I'm
not too familiar with nginx however so I'd be very happy if anyone has a
better fix to suggest before I look into doing that :D
Maxim D. (Guest)
on 2008-11-12 20:46
(Received via mailing list)
Hello!

On Wed, Nov 12, 2008 at 05:54:43PM +0000, David Farrar wrote:

>
>
> so it looks like nginx is incorrectly terminating the connection because
> it read data that it didn't expect.

Yes, it's known issue.  Generally speaking - nginx expects highly
controlled behaviour from imap backend and doesn't implement all
of the RFC 3501 aspects.

> Has anybody else come across a similar situation and found a way to
> resolve the problem?

IMHO, at first you should focus on fixing your dovecot's auth -
the message you cited is only sent if there was no response from
auth server for 30 seconds.  This is too many for real life.

> I guess that it should be fairly trivial to just read and ignore lines
> from the server until we find a line starting with the expected tag. I'm
> not too familiar with nginx however so I'd be very happy if anyone has a
> better fix to suggest before I look into doing that :D

I don't think this lines should be ignored - they should be
transferred to client instead.  Of course this applies only to
untagged data - everything else still an error at this point and
should terminate the connection.

Maxim D.
This topic is locked and can not be replied to.