Nginx imaps auth_http dovecot

luislavena · March 6, 2011, 10:25pm

Hi,

I’m not sure, what I have to use as an URL for auth_http?
Cause Dovecot uses a postgresql database.

My Config:

mail {
auth_http localhost:9000/cgi-bin/auth;

imap_auth cram-md5;
smtp_auth cram-md5;
imap_capabilities “IMAP4rev1” “UIDPLUS”;
proxy on;

server {
listen imap.server.org:993;
server_name imap.server01.org;
ssl on;
ssl_certificate /usr/local/nginx/ssl/imap.pilshusen.de.crt;
ssl_certificate_key /usr/local/nginx/ssl/imap.pilshusen.de.key;

ssl_session_timeout 5m;

ssl_protocols SSLv2 SSLv3 TLSv1;

ssl_ciphers

ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

ssl_prefer_server_ciphers on;

 protocol imap;

}
}

And I got the following error:

2011/03/06 22:17:17 [error] 1564#0: *8 recv() failed (111: Connection
refused) while in http auth state, client: 188.192.38.254, server:
84.210.211.83:993, login: “[email protected]”

Regards,
alokat

Alokat · March 7, 2011, 1:16am

Hello!

On Sun, Mar 06, 2011 at 10:22:38PM +0100, Alokat wrote:

I’m not sure, what I have to use as an URL for auth_http?
Cause Dovecot uses a postgresql database.

http://wiki.nginx.org/MailAuthModule#auth_http

Maxim D.

Alokat · April 29, 2011, 6:41pm

hi i want to run nginx for pops
I configured nginx to listen on 995, actual pops is running on 1995(both
on same server, tried on diff servers also still the same error).
if i do openssl s_client -ssl3 -connect :1995 authentication
working fine
but if i do openssl s_client -ssl3 -connect :995 authentication
is not working, it just hung after entering the password
i’m not using epoll also
plz suggest me

Thanks for patience.

Posted at Nginx Forum:

Alokat · April 30, 2011, 12:58pm

Hello!

On Fri, Apr 29, 2011 at 12:41:32PM -0400, moorthi wrote:

hi i want to run nginx for pops
I configured nginx to listen on 995, actual pops is running on 1995(both
on same server, tried on diff servers also still the same error).
if i do openssl s_client -ssl3 -connect :1995 authentication
working fine
but if i do openssl s_client -ssl3 -connect :995 authentication
is not working, it just hung after entering the password
i’m not using epoll also
plz suggest me

You have to setup correct auth_http script. Assuming you’ve
already done it.
SSL backends isn’t supported by nginx mail proxy, you need
non-ssl backend and direct nginx to it.

BTW, looking into error_log usually helps a lot.

Maxim D.

Alokat · May 2, 2011, 8:54pm

Hello!

On Mon, May 02, 2011 at 01:15:08AM -0400, moorthi wrote:

auth_http script and other setttings are done correctly,
this is what i am getting in error.log
upstream timed out (111: Connection timed out) while connecting to
upstream

I believe this is clear enough: nginx wasn’t able to connect to
upstream (backend) server. Check backend server and port returned
by auth_http script.

it’s saying +OK for user in connect
but after entering pass it’s giving above error.

After PASS command nginx will try to authenticate client with
auth_http script and then connect to upstream (backend) server.
As soon as connection to upstream times out - nginx should return
“-ERR internal server error” in reply to PASS command (if client
is still here).

Maxim D.

Alokat · May 3, 2011, 8:10am

auth_http script is working fine if i use pop/imap ports 110/143, if i
use 993/995 it’s not working

Posted at Nginx Forum:

Alokat · May 13, 2012, 1:40pm

Hi, moorthi.

Maxim told you twice that the feature you’re asking for is unsupported.
If you really need this functional by some reason, see there:
Re: nginx mail proxy - dovecot ssl backend .

Posted at Nginx Forum:

Alokat · May 2, 2011, 7:15am

auth_http script and other setttings are done correctly,
this is what i am getting in error.log
upstream timed out (111: Connection timed out) while connecting to
upstream
it’s saying +OK for user in connect
but after entering pass it’s giving above error.

Posted at Nginx Forum:

Alokat · April 14, 2014, 1:05pm

Hello!

On Mon, Apr 14, 2014 at 03:37:05AM +0200, Shawn Za wrote:

Does this mean that from the nginx proxy to the backend, the passwords
will fly through the internet wide open if the backend is a remote
machine?

Nobody stops you from providing secure network in-between, e.g.
with ipsec or ssl tunnel.

–
Maxim D.
http://nginx.org/

Alokat · April 14, 2014, 3:37am

Does this mean that from the nginx proxy to the backend, the passwords
will fly through the internet wide open if the backend is a remote
machine?

Maxim D. wrote in post #995934:

SSL backends isn’t supported by nginx mail proxy, you need
non-ssl backend and direct nginx to it.

BTW, looking into error_log usually helps a lot.

Maxim D.