nginx imap proxy issue with imap

Maxim Dounin mdounin at mdounin.ru
Wed Nov 12 21:40:08 MSK 2008 

Hello!

On Wed, Nov 12, 2008 at 05:54:43PM +0000, David Farrar wrote:

> We're using nginx to proxy imap connections across a number of backends.
> All was fine until we introduced a new backend server running dovecot
>  and discovered that we were (apparently) randomly seeing an 'internal
> server error' while trying to authenticate.
> 
> The trigger for this problem seems to be dovecot sometimes returning the
> string:
> "* OK Waiting for authentication process to respond.."
> before responding
> "+ OK" to the login command.
> 
> Section 2.2.1 of rfc3501 states
> 
> 	"""
>         It is also possible for the server to send a completion
>         response for some other command (if multiple commands are
>         in progress), or untagged data.  In either case, the
>         command continuation request is still pending; the client
>         takes the appropriate action for the response, and reads
>         another response from the server.
> 	"""
> 
> so it looks like nginx is incorrectly terminating the connection because
> it read data that it didn't expect.

Yes, it's known issue.  Generally speaking - nginx expects highly 
controlled behaviour from imap backend and doesn't implement all 
of the RFC 3501 aspects.

> Has anybody else come across a similar situation and found a way to
> resolve the problem?

IMHO, at first you should focus on fixing your dovecot's auth - 
the message you cited is only sent if there was no response from 
auth server for 30 seconds.  This is too many for real life.

> I guess that it should be fairly trivial to just read and ignore lines
> from the server until we find a line starting with the expected tag. I'm
> not too familiar with nginx however so I'd be very happy if anyone has a
> better fix to suggest before I look into doing that :D

I don't think this lines should be ignored - they should be 
transferred to client instead.  Of course this applies only to 
untagged data - everything else still an error at this point and 
should terminate the connection.

Maxim Dounin

More information about the nginx mailing list