Hi, my name is Ricardo,
I’m here to ask for help about an implementation of pop3/imap and smtp
proxy
functionality with nginx, i want to implement a “cluster” with those
functionalities.
Consideration
- All nodes/machines are virtualized (VM).
- All nodes/machines are configured with 600MB of RAM memory.
- All nodes/machines are based on 64 bits CentOS 7 distro.
- Nginx version included into CentOS 7, nginx-1.6.2-4.el7.x86_64
Scenario
My scenario is as follows:
- 1 Server as proxy with IMAP/POP/IMAPS/POP3S/SMTP and SMTPS enabled.
This
will be proxy-n1.ine.mx with IP address 192.168.122.170. - 1 Server as DNS with name master.ife.org.mx. This is the dns server
for
the solution, the IP address for this host is 192.168.122.85 - 1 Server as LDAP with name ldap.ife.org.mx. This is the “directory
server” for my users. The IP address assigned to this host is
192.168.122.30 - 2 Mail servers with postfix configured. The name for the firs node is
correo-n1.ine.mx with IP address 192.168.122.98 and The name for the
second
node is correo-n2.ine.mx with IP address 192.168.122.78. Both of them
with
postfix 2.10 and dovecot 2.2.10 with SMTP/SMTPS POP3/POPS3 and
IMAP/IMAPS
enabled. - 1 client with Windows 7 Starter with Outlook. The objective of this
VM is
to connect to the proxy solution an function and to get a normal
functionality. (I would like to mention, that this is the first
phase/stange)
Goal
- This first phase is stablish email flow functionality with
authenticated
mechanism with one proxy server and one email server.
Done Activities
- The proxy nodes has been configured to support
IMAP/POP/IMAPS/POP3S/SMTP
and SMTPS, I paste the configuration for better understanding:
-------------------------------- /etc/nginx/nginx.conf
user nginx;
worker_processes 1;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log;
#error_log /var/log/nginx/error.log debug;
error_log /var/log/nginx/error.log notice;
error_log /var/log/nginx/error.log info;
error_log /var/log/nginx/error.log error;
pid /run/nginx.pid;
events {
worker_connections 10240;
debug_connection 192.168.122.0/24;
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local]
“$request”
’
'$status $body_bytes_sent “$http_referer” ’
‘“$http_user_agent” “$http_x_forwarded_for”’;
proxy_buffering on;
proxy_buffer_size 8k;
proxy_buffers 2048 8k;
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
#gzip on;
index index.html index.htm;
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
server_name localhost;
root /usr/share/nginx/html;
include /etc/nginx/default.d/*.conf;
location / {
index index.html index.htm index.php;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
}
}
mail {
server_name proxy-n1.ine.mx;
# apache external backend
auth_http 192.168.122.170:80/correo-proxy-auth/index.php;
xclient on;
proxy on;
proxy_pass_error_message on;
imap_auth plain login cram-md5;
pop3_auth plain apop cram-md5;
smtp_auth plain login cram-md5;
imap_capabilities “IMAP4” “IMAP4rev1” “UIDPLUS” “IDLE” “LITERAL +”
“QUOTA”;
pop3_capabilities “LAST” “TOP” “USER” “PIPELINING” “UIDL”;
smtp_capabilities “PIPELINING” “SIZE 10240000” “VRFY” “ETRN”
“ENHANCEDSTATUSCODES” “8BITMIME” “DSN”;
ssl_session_cache shared:MAIL:10m;
ssl_certificate /etc/nginx/ssl_keys/cert_primario.cer;
ssl_certificate_key /etc/nginx/ssl_keys/www-key.pem;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
server {
listen 143;
protocol imap;
starttls on;
auth_http_header X-Auth-Port 143;
auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
}
server {
protocol pop3;
listen 110;
starttls on;
pop3_auth plain;
auth_http_header X-Auth-Port 110;
auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
}
server {
listen 993;
ssl on;
protocol imap;
auth_http_header X-Auth-Port 993;
auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
}
server {
protocol pop3;
listen 995;
ssl on;
pop3_auth plain;
auth_http_header X-Auth-Port 995;
auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
}
server {
listen 25;
protocol smtp;
auth_http_header X-Auth-Port 25;
auth_http_header User-Agent “Nginx SMTP/SMTPS proxy”;
timeout 12000;
}
server {
listen 465;
protocol smtp;
auth_http_header X-Auth-Port 465;
auth_http_header User-Agent "Nginx SMTP/SMTPS proxy";
ssl on;
}
server {
listen 587;
protocol smtp;
auth_http_header X-Auth-Port 587;
auth_http_header User-Agent "Nginx SMTP/SMTPS proxy";
starttls on;
}
}
-------------------------------- end file /etc/nginx/nginx.conf
- Auth logic has been written: i wrote all the logic for the auth
process,
this is specified into the mail module from nginx:
auth_http 192.168.122.170:80/correo-proxy-auth/index.php;
/usr/share/nginx/html/correo-proxy-auth/index.php
The content of index.php script is as follows:
<?php include './class/connect.php'; include './class/auth.php'; include './class/serverEmail.php'; $a=new Auth(); $e=new EmailConnect(); // based on the examples provided on ngnix wiki // @_http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript $user=$_SERVER["HTTP_AUTH_USER"]; $password=$_SERVER["HTTP_AUTH_PASS"]; $protocol=$_SERVER["HTTP_AUTH_PROTOCOL"]; // This is the protocol being proxied $auth=$_SERVER['HTTP_AUTH_METHOD']; // The authentication mechanism $salt=$_SERVER['HTTP_AUTH_SALT']; // Need the salt to encrypt the cleartext password, used for some authentication mechanisms $attempt=$_SERVER['HTTP_AUTH_LOGIN_ATTEMPT']; // The number of attempts needs to be an integer $ipclient=$_SERVER['HTTP_CLIENT_IP']; // It's the IP number from users client. $hostname=$_SERVER['HTTP_CLIENT_HOST']; // It's the hostname from users client. $maxattempts=3; #$user="ricardo.carrillo"; #$password="r3dh4t"; #$protocol="imap"; #$auth="plain"; if (isset($user) || isset($password)) { if(!$a->authUser($user,$password)){ // set message just in case if the provided password or user are wrong. $a->setFail(); }else{ // set the server configuration and redireting to it. $getMailHost = $e->getMailHost($user); $getProtocol = $e->getProtocol($protocol); $getMailServ = $e->getMailServer($user); #print "$getMailHost $getProtocol $getMailServ $user $password\ $e->setStatusPass($getMailServ,$getProtocol,$user,$password); } }else{ // set message just in case if the provided password or login are wrong. $a->setFail(); } ?>
-------------------------------- end file
/usr/share/nginx/html/correo-proxy-auth/index.php
This scripts just return the data to being passed to ngnix headers.
a) I get the mailhost from the ldap user (mailhost: correo-n1.ine.mx)
$getMailHost = $e->getMailHost($user);
b) I get the email protocol to being proxied.
$getProtocol = $e->getProtocol($protocol);
c) I get the mail server assigned to my ldap user (i get this from
the
ldap.ife.org.mx)
$getMailServ = $e->getMailServer($user);
#print "$getMailHost $getProtocol $getMailServ $user
$password
d) I pass the data above got it to generate ngnix headers
$e->setStatusPass($getMailServ,$getProtocol,$user,$password);
- I have activated debuggin mode into nginx but it does not work as
expected, I could not
The problem
At the moment to sign with the Windows machine with outlook to the
proxy-n1.ine.mx node, I always get a message into the logs as follows:
2015/03/11 10:59:21 [debug] 1983#0: *8 http fastcgi header: “Status: 500
Internal Server Error” and i do not see any connections to my
correo-n1.ine.mx, just see connections to the proxy-n1.ine.mx node.
I have searched on the web and not many solutios are provided, but the
few
solutions found are related to the “auth process problem” and that’s
it.
Today i found that the “Status: 500 Internal Server error” are generated
for
the next causes:
1, Hard disk space is full
2, Nginx configuration file errors (tuning -open files, limits.conf
etc.-,
concurrency settings, etc. etc.)
3. Auth process (own auth module)
Another logs that i see into my logs are as follows:
a) Resource temporarily unavailable
2015/03/11 10:59:21 [debug] 1983#0: *8 recv() not ready (11:
Resource temporarily unavailable)
2015/03/11 10:59:21 [debug] 1983#0: *8 recv() not ready (11:
Resource temporarily unavailable)
2015/03/11 10:59:21 [debug] 1983#0: *8 recv() not ready (11:
Resource temporarily unavailable)
2015/03/11 10:59:21 [debug] 1983#0: *8 recv() not ready (11:
Resource temporarily unavailable)
I guess those debug messages refers to if i have a load balancing
configuration or something like that,
b) auth http server <IP>:80 did not send server or port while in
http
auth state, client: , server: :25, login:
“”
2015/03/11 09:38:49 [error] 3399#0: *30 auth http server
192.168.122.170:80 did not send server or port while in http auth state,
client: 192.168.122.1, server: 0.0.0.0:25, login: “ricardo.carrillo”
2015/03/11 09:38:49 [error] 3399#0: *30 auth http server
192.168.122.170:80 did not send server or port while in http auth state,
client: 192.168.122.1, server: 0.0.0.0:25, login: “ricardo.carrillo”
According to the “Mastering Nginx” book from Dimitri A., this
error
is caused by “the authentication query is not successfully answered for
any
reason” (page 62)
I quote a pharagraph from the book:
“If the authentication query is not successfully answered for any
reason,
the
connection is terminated. NGINX doesn’t know to which upstream the
client
should be proxied, and thereby closes the connection with an Internal
server
error with the protocol-specific response code.”
But does not offer any solution or clue to solve that.
For all the above, i ask for your help, I have already searched and
spend a
lot of time to solve the problem, but I could not do my email solutions
works.
Could you help me to solve this problem?
Regars
Ricardo Carrillo.
P.D: Sorry for the format, , but the forum system does not support html
or
any post formatted setting.
Posted at Nginx Forum: