Nginx imap proxy issue with imap


#1

Hello,

We’re using nginx to proxy imap connections across a number of backends.
All was fine until we introduced a new backend server running dovecot
and discovered that we were (apparently) randomly seeing an ‘internal
server error’ while trying to authenticate.

The trigger for this problem seems to be dovecot sometimes returning the
string:
“* OK Waiting for authentication process to respond…”
before responding
“+ OK” to the login command.

Section 2.2.1 of rfc3501 states

“”"
It is also possible for the server to send a completion
response for some other command (if multiple commands are
in progress), or untagged data. In either case, the
command continuation request is still pending; the client
takes the appropriate action for the response, and reads
another response from the server.
“”"

so it looks like nginx is incorrectly terminating the connection because
it read data that it didn’t expect.

Has anybody else come across a similar situation and found a way to
resolve the problem?

I guess that it should be fairly trivial to just read and ignore lines
from the server until we find a line starting with the expected tag. I’m
not too familiar with nginx however so I’d be very happy if anyone has a
better fix to suggest before I look into doing that :smiley:


#2

Hello!

On Wed, Nov 12, 2008 at 05:54:43PM +0000, David Farrar wrote:

so it looks like nginx is incorrectly terminating the connection because
it read data that it didn’t expect.

Yes, it’s known issue. Generally speaking - nginx expects highly
controlled behaviour from imap backend and doesn’t implement all
of the RFC 3501 aspects.

Has anybody else come across a similar situation and found a way to
resolve the problem?

IMHO, at first you should focus on fixing your dovecot’s auth -
the message you cited is only sent if there was no response from
auth server for 30 seconds. This is too many for real life.

I guess that it should be fairly trivial to just read and ignore lines
from the server until we find a line starting with the expected tag. I’m
not too familiar with nginx however so I’d be very happy if anyone has a
better fix to suggest before I look into doing that :smiley:

I don’t think this lines should be ignored - they should be
transferred to client instead. Of course this applies only to
untagged data - everything else still an error at this point and
should terminate the connection.

Maxim D.