mail-proxy, ssl and line termination

Igor Grabin dem0n at ntn.tv
Thu Oct 25 07:07:38 UTC 2012 

Good morning,

maybe, I'm posting this to the wrong place. nginx-devel@ rejected
this.

any pointers appreciated :-)

the setup...
 1 nginx frontend, pop3 / pop3s / imap / imaps
 2 backends, dovecot + ms-exchange.

the problem:
 pop3s / imaps connections being forwarded to exchange (in other
words, decapsulated from ssl) stall after login.
 otherwise, all types of connections work fine, i.e.
 nginx:pop3s -> dovecot:pop3, nginx:pop3 -> exchange:pop3

tested on 1.2.4 as bundled with ubuntu 10.10, and 1.3.7, compiled by
hand.

I did a bit of tracing and have an assumption. nginx doesn't put an
extra '\r' in a first statement of ssl-decapsulated session.
here's a sample (being captured between nginx and a backend). this may
upset redmond-based products ;-).

$ hexdump -c inflow.imap.good ( nginx:imap -> exchange:imap)
0000000   1       L   O   G   I   N       {   9   }  \r  \n   c   a c
0000010   o   d   e   m   o   n       {   7   }  \r  \n   X   X   X X
0000020   X   X   X  \r  \n   2       s   e   l   e   c   t       i n
0000030   b   o   x  \r  \n   3       l   o   g   o   u   t  \r  \n

$ hexdump -c inflow.imap.bad (nginx:imaps -> exchange:imap)
0000000   1       L   O   G   I   N       {   9   }  \r  \n   c   a c
0000010   o   d   e   m   o   n       {   7   }  \r  \n   X   X   X X
0000020   X   X   X  \r  \n   2       s   e   l   e   c   t       i n
0000030   b   o   x  \n

same goes for pop3 in the same direction - missing '\r' after 'list'
command.

unfortunately, my C skills suck, so I'm unable to propose a patch.

full config-file below
===
user  nginx;
worker_processes  1;
error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;
events {
    worker_connections  1024;
}
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    #tcp_nopush     on;
    keepalive_timeout  65;
    #gzip  on;
}
                mail {
                  auth_http  127.0.0.1:80/mailauth.pl;
                  auth_http_header X-NGX-Auth-Key "censored :-)";
                 proxy on;
        ssl_certificate_key     /etc/nginx/ssl/cert.pem;
        ssl_certificate     /etc/nginx/ssl/cert.pem;
        ssl_session_timeout     5m;
                server {
                        protocol pop3;
                	ssl on;
                        listen 1.2.3.4:995;
                        listen 192.168.1.1:995;
                }

                server {
                        listen 1.2.3.4:993;
                        listen 192.168.1.1:993;
                        protocol imap;
                        ssl on;
                }
                  imap_auth plain login;
                  pop3_auth plain;
	}
                
tia for any pointers,
-- 
Igor "CacoDem0n" Grabin, http://violent.death.kiev.ua/

More information about the nginx mailing list