Configuring nginx as mail proxy

Laurent Bonetto lbonetto at kenzanmedia.com
Thu Oct 25 01:33:29 UTC 2012


Maxime,

Thanks so much. This was the key:
> Note that this must be an IP address, not a hostname.
My mail server was passing me a hostname, which nginx passed to the authenticate service. I had assumed it was fine to return a hostname.
Returning the IP instead did the trick.

I have now the proxy working inbound and outbound.

Much appreciated also your clarifications regarding the low open file resource and server_name.

You were of a big help today.

Laurent

On Oct 24, 2012, at 6:54 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Hello!
> 
> On Wed, Oct 24, 2012 at 05:38:29PM -0400, Laurent Bonetto wrote:
> 
>> I did understand you meant to change the number of 
>> worker_connections. The only reason why I had lowered it was 
>> that I got a warning:
>> nginx: [warn] 1024 worker_connections exceed open file resource limit: 256
> 
> This indicate that you have very low open file resource limit set.  
> Easiest way to fix this is to use worker_limit_nofile nginx 
> configuration directive, see here:
> 
> http://nginx.org/r/worker_limit_nofile
> 
> Of course tuning your OS and/or using ulimit will do the trick as 
> well.  Using worker_connections set to something like 128 will 
> help as well, but it's just to low for any real work and may be 
> only used for testing.
> 
>> After pointing my mail client to localhost, I was finally able 
>> to see nginx hit my mock for an authentication request so there 
>> is definitely some progress! Unfortunately, the proxying is 
>> still not working. More precisely:
>> 
>> nginx hits my authenticate mock server with:
>> Host: localhost
>> Auth-User: <my user name>
>> Auth-Pass: <my password>
>> Auth-Protocol: pop3
>> Auth-Login-Attempt: 1
>> Client-IP: 192.168.1.104
>> - If my mock responds with
>> < HTTP/1.1 200 OK
>> < Content-Type: text/html
>> < Auth-Status: Invalid login or password
>> < Auth-Wait: 3
>> < Content-Length: 0
>> Then my mail client tells me that I have the incorrect username or password, as expected.
>> 
>> - However, if my mock responds with:
>> < Auth-Status: OK
>> < Auth-Server: <my mail server>
>> < Auth-Port: 110
>> The the mail client responds with an internal server error.
>> I added the Auth-Pass (which should not be needed anyway) in the 
>> response and that didn't help.
> 
> Do you return response without http response line, i.e. 
> "HTTP/1.1 200 OK"?
> 
> What's exactly in the Auth-Server header returned?  Note that this 
> must be an IP address, not a hostname.
> 
>> Since I didn't see any error in the error.log from nginx I used 
>> wireshark to monitor traffic. I filtered on tcp.port eq 110 and 
>> compared side by side the traffic coming from an account using a 
>> direct connection to my mail server, and an account going 
>> through the nginx proxy. In the second case (through proxy), I 
>> do not see any traffic going out to my mail server, suggesting 
>> it does not get the info it was expecting from my authentication 
>> service.
>> 
>> - Can you think of something I am missing?
>> - How do I even go about debugging what's happening here apart 
>> from what I am already doing (using wireshark)?
> 
> Appropriate errors should be logged by nginx into error log.  I 
> would suggests there should be something like
> 
> 2012/10/25 02:29:10 [error] 64793#0: *1 auth http server 127.0.0.1:8081 sent invalid server address:"foobar" while in http auth state ...
> 
> this time.  It's strange you don't see anything.
> 
> Detailed debug information may be obtained using debug log, see 
> http://nginx.org/en/docs/debugging_log.html.
> 
> [...]
> 
>>  mail {      
>>  # I assume server_name comes from Auth-Server so I tried commenting out. Same behavior.
>>    server_name       <my mail server>; 
> 
> Just a side note: server_name is needed mostly to present 
> something to a client when it connects, see here:
> 
> http://nginx.org/en/docs/mail/ngx_mail_core_module.html#server_name
> 
> It can't be from Auth-Server as it's only available later, after 
> auth http service request.  It should be safe to omit it though, 
> machine hostname will be used by default.
> 
> [...]
> 
> -- 
> Maxim Dounin
> http://nginx.com/support.html
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list