nginx imap proxy issue with imap
mdounin at mdounin.ru
Wed Nov 12 21:40:08 MSK 2008
On Wed, Nov 12, 2008 at 05:54:43PM +0000, David Farrar wrote:
> We're using nginx to proxy imap connections across a number of backends.
> All was fine until we introduced a new backend server running dovecot
> and discovered that we were (apparently) randomly seeing an 'internal
> server error' while trying to authenticate.
> The trigger for this problem seems to be dovecot sometimes returning the
> "* OK Waiting for authentication process to respond.."
> before responding
> "+ OK" to the login command.
> Section 2.2.1 of rfc3501 states
> It is also possible for the server to send a completion
> response for some other command (if multiple commands are
> in progress), or untagged data. In either case, the
> command continuation request is still pending; the client
> takes the appropriate action for the response, and reads
> another response from the server.
> so it looks like nginx is incorrectly terminating the connection because
> it read data that it didn't expect.
Yes, it's known issue. Generally speaking - nginx expects highly
controlled behaviour from imap backend and doesn't implement all
of the RFC 3501 aspects.
> Has anybody else come across a similar situation and found a way to
> resolve the problem?
IMHO, at first you should focus on fixing your dovecot's auth -
the message you cited is only sent if there was no response from
auth server for 30 seconds. This is too many for real life.
> I guess that it should be fairly trivial to just read and ignore lines
> from the server until we find a line starting with the expected tag. I'm
> not too familiar with nginx however so I'd be very happy if anyone has a
> better fix to suggest before I look into doing that :D
I don't think this lines should be ignored - they should be
transferred to client instead. Of course this applies only to
untagged data - everything else still an error at this point and
should terminate the connection.
More information about the nginx