Authorization identity for IMAP proxy

Sylvain Amrani sylvain.amrani at
Tue Dec 17 10:06:19 UTC 2019

Hi list,

IMAP servers (dovecot, cyrus...) rely on SASL authentication.

The SASL specs let the client requests a different identity than the one
used for authentication.

RFC 3501 says : The authorization identity passed from the client to the
server during the authentication exchange is interpreted by the server as
the user name whose privileges the client is requesting.

Dovecot proxy and Cyrus frontends in murder architecture use this to
authenticate with an admin account and request a user identity. It's very
useful to authenticate via proxies without to know the user's password.

Is there a way to let NGINX use different identification and authentication
ids to authenticate to the remote imap server ? I can't figure out what to
put in the AUTH-* headers to do that.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list