Internal Server Error messages nginx proxy POP/IMAP/SMTP

Hi, my name is Ricardo,

I’m here to ask for help about an implementation of pop3/imap and smtp
proxy
functionality with nginx, i want to implement a “cluster” with those
functionalities.

Consideration

  • All nodes/machines are virtualized (VM).
  • All nodes/machines are configured with 600MB of RAM memory.
  • All nodes/machines are based on 64 bits CentOS 7 distro.
  • Nginx version included into CentOS 7, nginx-1.6.2-4.el7.x86_64

Scenario

My scenario is as follows:

  • 1 Server as proxy with IMAP/POP/IMAPS/POP3S/SMTP and SMTPS enabled.
    This
    will be proxy-n1.ine.mx with IP address 192.168.122.170.
  • 1 Server as DNS with name master.ife.org.mx. This is the dns server
    for
    the solution, the IP address for this host is 192.168.122.85
  • 1 Server as LDAP with name ldap.ife.org.mx. This is the “directory
    server” for my users. The IP address assigned to this host is
    192.168.122.30
  • 2 Mail servers with postfix configured. The name for the firs node is
    correo-n1.ine.mx with IP address 192.168.122.98 and The name for the
    second
    node is correo-n2.ine.mx with IP address 192.168.122.78. Both of them
    with
    postfix 2.10 and dovecot 2.2.10 with SMTP/SMTPS POP3/POPS3 and
    IMAP/IMAPS
    enabled.
  • 1 client with Windows 7 Starter with Outlook. The objective of this
    VM is
    to connect to the proxy solution an function and to get a normal
    functionality. (I would like to mention, that this is the first
    phase/stange)

Goal

  • This first phase is stablish email flow functionality with
    authenticated
    mechanism with one proxy server and one email server.

Done Activities

  • The proxy nodes has been configured to support
    IMAP/POP/IMAPS/POP3S/SMTP
    and SMTPS, I paste the configuration for better understanding:

-------------------------------- /etc/nginx/nginx.conf

user nginx;
worker_processes 1;
worker_rlimit_nofile 65535;

error_log /var/log/nginx/error.log;
#error_log /var/log/nginx/error.log debug;
error_log /var/log/nginx/error.log notice;
error_log /var/log/nginx/error.log info;
error_log /var/log/nginx/error.log error;

pid /run/nginx.pid;

events {
worker_connections 10240;
debug_connection 192.168.122.0/24;
multi_accept on;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local]
“$request”

'$status $body_bytes_sent “$http_referer” ’
‘“$http_user_agent” “$http_x_forwarded_for”’;

proxy_buffering on;
proxy_buffer_size 8k;
proxy_buffers 2048 8k;
access_log  /var/log/nginx/access.log  main;
sendfile        on;
keepalive_timeout  65;
#gzip  on;
index   index.html index.htm;
include /etc/nginx/conf.d/*.conf;
server {
    listen       80 default_server;
    server_name  localhost;
    root         /usr/share/nginx/html;
    include /etc/nginx/default.d/*.conf;
    location / {
            index index.html index.htm index.php;
    }
    error_page  404              /404.html;
    location = /40x.html {
    }
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
    }
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index  index.php;
        include        fastcgi_params;
    }
}

}
mail {
server_name proxy-n1.ine.mx;
# apache external backend
auth_http 192.168.122.170:80/correo-proxy-auth/index.php;
xclient on;
proxy on;
proxy_pass_error_message on;
imap_auth plain login cram-md5;
pop3_auth plain apop cram-md5;
smtp_auth plain login cram-md5;
imap_capabilities “IMAP4” “IMAP4rev1” “UIDPLUS” “IDLE” “LITERAL +”
“QUOTA”;
pop3_capabilities “LAST” “TOP” “USER” “PIPELINING” “UIDL”;
smtp_capabilities “PIPELINING” “SIZE 10240000” “VRFY” “ETRN”
“ENHANCEDSTATUSCODES” “8BITMIME” “DSN”;
ssl_session_cache shared:MAIL:10m;
ssl_certificate /etc/nginx/ssl_keys/cert_primario.cer;
ssl_certificate_key /etc/nginx/ssl_keys/www-key.pem;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;

server {
  listen      143;
  protocol    imap;
  starttls    on;
  auth_http_header X-Auth-Port 143;
  auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
}

server {
  protocol    pop3;
  listen      110;
  starttls    on;
  pop3_auth   plain;
  auth_http_header X-Auth-Port 110;
  auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
}

server {
  listen      993;
  ssl         on;
  protocol    imap;
  auth_http_header X-Auth-Port 993;
  auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
}

server {
  protocol    pop3;
  listen      995;
  ssl         on;
  pop3_auth   plain;
  auth_http_header X-Auth-Port 995;
  auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
}

server {
listen 25;
protocol smtp;
auth_http_header X-Auth-Port 25;
auth_http_header User-Agent “Nginx SMTP/SMTPS proxy”;
timeout 12000;
}

server {
  listen 465;
  protocol smtp;
  auth_http_header X-Auth-Port 465;
  auth_http_header User-Agent "Nginx SMTP/SMTPS proxy";
  ssl on;
}

server {
  listen 587;
  protocol smtp;
  auth_http_header X-Auth-Port 587;
  auth_http_header User-Agent "Nginx SMTP/SMTPS proxy";
  starttls on;
}

}
-------------------------------- end file /etc/nginx/nginx.conf

  • Auth logic has been written: i wrote all the logic for the auth
    process,
    this is specified into the mail module from nginx:

auth_http 192.168.122.170:80/correo-proxy-auth/index.php;


/usr/share/nginx/html/correo-proxy-auth/index.php

The content of index.php script is as follows:

<?php include './class/connect.php'; include './class/auth.php'; include './class/serverEmail.php'; $a=new Auth(); $e=new EmailConnect(); // based on the examples provided on ngnix wiki // @_http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript $user=$_SERVER["HTTP_AUTH_USER"]; $password=$_SERVER["HTTP_AUTH_PASS"]; $protocol=$_SERVER["HTTP_AUTH_PROTOCOL"]; // This is the protocol being proxied $auth=$_SERVER['HTTP_AUTH_METHOD']; // The authentication mechanism $salt=$_SERVER['HTTP_AUTH_SALT']; // Need the salt to encrypt the cleartext password, used for some authentication mechanisms $attempt=$_SERVER['HTTP_AUTH_LOGIN_ATTEMPT']; // The number of attempts needs to be an integer $ipclient=$_SERVER['HTTP_CLIENT_IP']; // It's the IP number from users client. $hostname=$_SERVER['HTTP_CLIENT_HOST']; // It's the hostname from users client. $maxattempts=3; #$user="ricardo.carrillo"; #$password="r3dh4t"; #$protocol="imap"; #$auth="plain"; if (isset($user) || isset($password)) { if(!$a->authUser($user,$password)){ // set message just in case if the provided password or user are wrong. $a->setFail(); }else{ // set the server configuration and redireting to it. $getMailHost = $e->getMailHost($user); $getProtocol = $e->getProtocol($protocol); $getMailServ = $e->getMailServer($user); #print "$getMailHost $getProtocol $getMailServ $user $password\ $e->setStatusPass($getMailServ,$getProtocol,$user,$password); } }else{ // set message just in case if the provided password or login are wrong. $a->setFail(); } ?>

-------------------------------- end file
/usr/share/nginx/html/correo-proxy-auth/index.php

This scripts just return the data to being passed to ngnix headers.

a) I get the mailhost from the ldap user (mailhost: correo-n1.ine.mx)

        $getMailHost = $e->getMailHost($user);

b) I get the email protocol to being proxied.
$getProtocol = $e->getProtocol($protocol);
c) I get the mail server assigned to my ldap user (i get this from
the
ldap.ife.org.mx)
$getMailServ = $e->getMailServer($user);
#print "$getMailHost $getProtocol $getMailServ $user
$password
d) I pass the data above got it to generate ngnix headers

$e->setStatusPass($getMailServ,$getProtocol,$user,$password);

  • I have activated debuggin mode into nginx but it does not work as
    expected, I could not
    The problem

At the moment to sign with the Windows machine with outlook to the
proxy-n1.ine.mx node, I always get a message into the logs as follows:

2015/03/11 10:59:21 [debug] 1983#0: *8 http fastcgi header: “Status: 500
Internal Server Error” and i do not see any connections to my
correo-n1.ine.mx, just see connections to the proxy-n1.ine.mx node.

I have searched on the web and not many solutios are provided, but the
few
solutions found are related to the “auth process problem” and that’s
it.
Today i found that the “Status: 500 Internal Server error” are generated
for
the next causes:

1, Hard disk space is full
2, Nginx configuration file errors (tuning -open files, limits.conf
etc.-,
concurrency settings, etc. etc.)
3. Auth process (own auth module)

Another logs that i see into my logs are as follows:

a) Resource temporarily unavailable

        2015/03/11 10:59:21 [debug] 1983#0: *8 recv() not ready (11:

Resource temporarily unavailable)
2015/03/11 10:59:21 [debug] 1983#0: *8 recv() not ready (11:
Resource temporarily unavailable)
2015/03/11 10:59:21 [debug] 1983#0: *8 recv() not ready (11:
Resource temporarily unavailable)
2015/03/11 10:59:21 [debug] 1983#0: *8 recv() not ready (11:
Resource temporarily unavailable)

I guess those debug messages refers to if i have a load balancing
configuration or something like that,

b) auth http server <IP>:80 did not send server or port while in 

http
auth state, client: , server: :25, login:
“”

        2015/03/11 09:38:49 [error] 3399#0: *30 auth http server

192.168.122.170:80 did not send server or port while in http auth state,
client: 192.168.122.1, server: 0.0.0.0:25, login: “ricardo.carrillo”
2015/03/11 09:38:49 [error] 3399#0: *30 auth http server
192.168.122.170:80 did not send server or port while in http auth state,
client: 192.168.122.1, server: 0.0.0.0:25, login: “ricardo.carrillo”

According to the “Mastering Nginx” book from Dimitri A., this
error
is caused by “the authentication query is not successfully answered for
any
reason” (page 62)

I quote a pharagraph from the book:

“If the authentication query is not successfully answered for any
reason,
the
connection is terminated. NGINX doesn’t know to which upstream the
client
should be proxied, and thereby closes the connection with an Internal
server
error with the protocol-specific response code.”

But does not offer any solution or clue to solve that.

For all the above, i ask for your help, I have already searched and
spend a
lot of time to solve the problem, but I could not do my email solutions
works.

Could you help me to solve this problem?

Regars
Ricardo Carrillo.

P.D: Sorry for the format, , but the forum system does not support html
or
any post formatted setting.

Posted at Nginx Forum:

On Wed, Mar 11, 2015 at 03:16:51PM -0400, dominus.ceo wrote:

Hi there,

It sounds like one problem you have is the auth_http request not getting
the expected response.

See the example at
Module ngx_mail_auth_http_module,
and
try making the request manually and seeing what exact response comes
back.

auth_http  192.168.122.170:80/correo-proxy-auth/index.php;

What response do you get from this: ?

curl -H “Auth-Method: plain”
-H “Auth-User: ricardo.carrillo”
-H “Auth-Pass: r3dh4t”
-H “Auth-Protocol: imap”
-H “Auth-Login-Attempt: 1”
-i http://192.168.122.170:80/correo-proxy-auth/index.php

Add whatever other header name/value pairs you need for one successful
login.

Until that replies with the expected response, none of your mail side of
things will work.

f

Francis D. [email protected]

Actually already did that, and i got the next answere:

[root@proxy-n1 ~]# curl -H “Auth-Method: plain” \

-H “Auth-User: ricardo.carrillo”
-H “Auth-Pass: r3dh4t”
-H “Auth-Protocol: imap”
-H “Auth-Login-Attempt: 1”
-i http://192.168.122.170:80/correo-proxy-auth/index.php
HTTP/1.1 500 Internal Server Error
Server: nginx/1.6.2
Date: Wed, 11 Mar 2015 23:18:54 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.16

but the error logs are not very descriptive.

Posted at Nginx Forum:

On Wed, Mar 11, 2015 at 07:24:17PM -0400, dominus.ceo wrote:

Hi there,

Date: Wed, 11 Mar 2015 23:18:54 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.16

but the error logs are not very descriptive.

That says that nginx is sending the request to php, which is a good
start.

Temporarily replace the index.php file with one which just does

print_r($_SERVER)

and see what it shows when you make the same manual request. Your
objective is to see that the nginx/php integration is working.

If that request does give a sensible response, then you will want to
look more closely at your original index.php. If it does not give a
sensible response, then look more closely at what nginx sends to the php
(fastcgi) server.

f

Francis D. [email protected]

Thank’s in advance.

The php ngnix integration already worked fine, but your idea it is goot
to
know what else is obtained with the manual request, I put the result of
the
execution:

168.122.170:80/correo-proxy-auth/auth.php

  • About to connect() to 192.168.122.170 port 80 (#0)
  • Trying 192.168.122.170…
  • Connected to 192.168.122.170 (192.168.122.170) port 80 (#0)

< HTTP/1.1 200 OK
< Server: nginx/1.6.2
< Date: Thu, 12 Mar 2015 15:46:11 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Powered-By: PHP/5.4.16
<
Array
(
[USER] => apache
[HOME] => /usr/share/httpd
[FCGI_ROLE] => RESPONDER
[PATH_TRANSLATED] =>
/usr/share/nginx/html/correo-proxy-auth/auth.php
[QUERY_STRING] =>
[REQUEST_METHOD] => GET
[CONTENT_TYPE] =>
[CONTENT_LENGTH] =>
[SCRIPT_NAME] => /correo-proxy-auth/auth.php
[REQUEST_URI] => /correo-proxy-auth/auth.php
[DOCUMENT_URI] => /correo-proxy-auth/auth.php
[DOCUMENT_ROOT] => /usr/share/nginx/html
[SERVER_PROTOCOL] => HTTP/1.1
[GATEWAY_INTERFACE] => CGI/1.1
[SERVER_SOFTWARE] => nginx/1.6.2
[REMOTE_ADDR] => 192.168.122.170
[REMOTE_PORT] => 39783
[SERVER_ADDR] => 192.168.122.170
[SERVER_PORT] => 80
[SERVER_NAME] => localhost
[REDIRECT_STATUS] => 200
[HTTP_USER_AGENT] => curl/7.29.0
[HTTP_ACCEPT] => /
[HTTP_HOST] => 192.168.122.170
[HTTP_AUTH_METHOD] => plain
[HTTP_AUTH_USER] => ricardo.carrillo
[HTTP_AUTH_PASS] => r3dh4t
[HTTP_AUTH_PROTOCOL] => imap
[HTTP_AUTH_LOGIN_ATTEMPT] => 1
[HTTP_CLIENT_IP] => 192.168.122.1
[PHP_SELF] => /correo-proxy-auth/auth.php
[REQUEST_TIME_FLOAT] => 1426175171.8848
[REQUEST_TIME] => 1426175171
)

  • Connection #0 to host 192.168.122.170 left intact
    The response it is OK, so the problem certainly is into the auth logic.
    (index.php script)

Posted at Nginx Forum:

On Thu, Mar 12, 2015 at 07:25:09PM -0400, dominus.ceo wrote:

upstream timed out (110: Connection timed out) while connecting to
upstream, client: 192.168.122.1, server: 0.0.0.0:143, login:
“ricardo.carrillo”, upstream: 192.168.192.78:143

Your client connected to nginx port 143 (for imap). nginx tried to
connect to 192.168.192.78 port 143. nginx got no response.

Your original mail suggested that there was an imap server on
192.168.122.78, not 192.168.192.78.

client was rejected: “MAIL FROM: [email protected]__” while in auth
state, client: 192.168.122.1, server: 0.0.0.0:25

I do not know about this part.

The code seems to suggest that that means that one part of the system
expects authentication but another part does not.

What is the response to the manual auth_http request in this case?

f

Francis D. [email protected]

Hi there,
I have decided delete all authetication part from the email process
auth,
and first made the simplest configuration, so i have configured nginx
based
on the the examples provided into wiki nginx page and just modified it
to
get an IP address and hostname to redirect my users to my backends mail
servers, Unfortunadly I got another 2 error messages :

upstream timed out (110: Connection timed out) while connecting to
upstream, client: 192.168.122.1, server: 0.0.0.0:143, login:
“ricardo.carrillo”, upstream: 192.168.192.78:143

and

client was rejected: “MAIL FROM: [email protected]__” while in
auth
state, client: 192.168.122.1, server: 0.0.0.0:25

Does anybody knows what does those errors mean?

Posted at Nginx Forum:

Sorry, me mistake, all the IP’s are related to with the
192.168.122.0/255.255.255.0 network.

Posted at Nginx Forum:

Thanks for the tips and the corrections , after a long night i have
finished
the proxy configuration with ldap auth php authentication .

Does anybody know if it it possible share configurations into ngnix
page ?

Posted at Nginx Forum:

I changed the IP address into my php script and i think we are moving
on,
now i’m seening the next error into my logs:

*6 upstream sent invalid response: “550 5.7.0 Error: insufficient
authorization” while reading response from upstream, client:
192.168.122.1
using starttls, server: 0.0.0.0:587, login: “ricardo.carrillo”,
upstream:
192.168.122.78:25
2015/03/12 21:02:18 [info] 2375#0: *6 upstream sent invalid response:
“550
5.7.0 Error: insufficient authorization” while reading response from
upstream, client: 192.168.122.1 using starttls, server: 0.0.0.0:587,
login:
“ricardo.carrillo”, upstream: 192.168.122.78:25

The response for the manual auth_http request is:

[root@proxy-n1 ~]# curl -v -H “Host:192.168.122.170” -H
“Auth-Method:plain”
-H “Auth-User:ricardo.carrillo” -H “Auth-pass:r3dh4t” -H
“Auth-Protocol:imap” -H “Auth-Login-Attempt:1” -H “Client-IP:
192.168.122.1”
http://192.168.122.170:80/correo-proxy-auth/auth2.php

  • About to connect() to 192.168.122.170 port 80 (#0)
  • Trying 192.168.122.170…
  • Connected to 192.168.122.170 (192.168.122.170) port 80 (#0)

< HTTP/1.1 200 OK
< Server: nginx/1.6.2
< Date: Fri, 13 Mar 2015 02:06:37 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Powered-By: PHP/5.4.16
< Auth-Status: OK
< Auth-Server: 192.168.122.78
< Auth-Port: 143
<

  • Connection #0 to host 192.168.122.170 left intact

Posted at Nginx Forum: