nginx imap proxy issue with imap

Maxim Dounin mdounin at mdounin.ru
Thu Nov 13 03:48:12 MSK 2008 

Hello!

On Wed, Nov 12, 2008 at 09:48:27PM -0000, David Farrar wrote:

> Hello,
> 
> Thank you for your response.
> 
> > 
> > > Has anybody else come across a similar situation and found a way to 
> > > resolve the problem?
> > 
> > IMHO, at first you should focus on fixing your dovecot's auth - the 
> > message you cited is only sent if there was no response from auth 
> > server for 30 seconds.  This is too many for real life.
> >
> 
> 
> Thank you for the tip. We do have a custom authentication script but I'd be
> looking at that instead of bugging you here if it were really taking
> anywhere near that long :D
> 
> I looked into the most recent release of dovecot and there are actually two
> conditions which can trigger that message. I don't want to spam this list
> with discussion of another software but dovecot is quite widely used so I
> guess it may interest other users of nginx if this behaviour is new or rare:
> 
> The other test checks if there is an established connection to the
> authentication process and stops processing commands if there isn't, writing
> the waiting message to tell the client that it can expect a slight pause. I
> saw the number of running authentication processes increasing and
> descreasing fairly quickly but I don't yet know how dovecot is managing its
> authentication pool so I can only guess at what's happening here without
> looking into it. 

Yes, indeed.  I'm somehow missed this possibility assuming that 
connection to devecot's auth process can't go away in the middle of 
operation - but it of course can.

[...]

> Getting back to nginx (if people are still reading) -

:)

> I'm not all that
> familiar with imap but I guess that you could safely read data until a line
> with the correct tag is encountered with running the risk of eating a
> response from some other command?

Not really - arbitrary garbage should still close the connection.  
But in most cases (not when waiting for initial greeting) we may 
safely read/skip/pass-to-client unexpected untagged responses.

> If I have to maintain an out of tree patch
> then the one liner for dovecot is looking the better option but I'd rather
> ask first if this change could be made to nginx since there are surely other
> similar situations that it would avoid.

Personally I think that this change should be made to nginx 
eventually, but I'm not Igor.

Maxim Dounin

More information about the nginx mailing list