IMAP Proxy with TLS Upstream Configuration
I believe I have properly configured nginx v1.24.0 (open source) for
IMAP proxy on FreeBSD 14.0. I am, however, unable to establish a TLS
connection to the upstream server.
I have confirmed that I can connect to the proxy with TLS and that the
auth server is called. The auth server returns the expected Auth-Server
and Auth-Port. The upstream server is on a remote host with Dovecot
running TLS on the standard port of 993. I can see the TCP handshake
between the proxy and Dovecot on both machines, but nginx does not proceed.
It eventually returns "* BAD internal server error" with the error log
indicating a timeout
2024/01/06 10:54:33 [debug] 6217#100294: *1 mail auth http process
status line
2024/01/06 10:54:33 [debug] 6217#100294: *1 mail auth http process headers
2024/01/06 10:54:33 [debug] 6217#100294: *1 mail auth http header:
"Server: nginx/1.24.0"
2024/01/06 10:54:33 [debug] 6217#100294: *1 mail auth http header:
"Date: Sat, 06 Jan 2024 18:54:33 GMT"
2024/01/06 10:54:33 [debug] 6217#100294: *1 mail auth http header:
"Connection: close"
2024/01/06 10:54:33 [debug] 6217#100294: *1 mail auth http header:
"Auth-Status: OK"
2024/01/06 10:54:33 [debug] 6217#100294: *1 mail auth http header:
"Auth-Server: 2601:::::1234"
2024/01/06 10:54:33 [debug] 6217#100294: *1 mail auth http header:
"Auth-Port: 993"
2024/01/06 10:54:33 [debug] 6217#100294: *1 mail auth http header done
2024/01/06 10:54:33 [debug] 6217#100294: *1 event timer del: 11: 43974303
2024/01/06 10:54:33 [debug] 6217#100294: *1 reusable connection: 0
2024/01/06 10:54:33 [debug] 6217#100294: *1 free: 167258040800,
unused: 64
2024/01/06 10:54:33 [debug] 6217#100294: *1 posix_memalign:
167258041100:256 @16
2024/01/06 10:54:33 [debug] 6217#100294: *1 stream socket 11
2024/01/06 10:54:33 [debug] 6217#100294: *1 connect to
2601:::::1234:993, fd:11 #4
2024/01/06 10:54:33 [debug] 6217#100294: *1 kevent set event: 11: ft:-1
fl:0025
2024/01/06 10:54:33 [debug] 6217#100294: *1 kevent set event: 11: ft:-2
fl:0025
2024/01/06 10:54:33 [debug] 6217#100294: *1 event timer add: 11:
6:43974303
2024/01/06 10:54:33 [debug] 6217#100294: *1 posix_memalign:
167258041200:256 @16
2024/01/06 10:54:33 [debug] 6217#100294: *1 malloc: 167258049000:4096
2024/01/06 10:54:33 [debug] 6217#100294: *1 mail proxy write handler
2024/01/06 10:55:33 [debug] 6217#100294: *1 event timer del: 11: 43974303
2024/01/06 10:55:33 [debug] 6217#100294: *1 mail proxy imap auth handler
2024/01/06 10:55:33 [info] 6217#100294: *1 upstream timed out (60:
Operation timed out) while connecting to upstream
I have confirmed using openssl s_client that the connection can be made
from the host running nginx to the host at the expected IP address and port.
Looking at the source, I did not see an option in the auth-header
parsing related to using TLS upstream.
Is there a way to use TLS for the IMAP upstream natively (without
needing to configure a port with STARTTLS)?
TIA,
Jeff
mail {
error_log /var/log/nginx/error.log debug;
ssl_certificate path/to/fullchain.pem;
ssl_certificate_key path/to/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:1m; # about 4000 sessions
ssl_session_tickets off;
# modern configuration
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# verify chain of trust of OCSP response using Root CA and
Intermediate certs
ssl_trusted_certificate path/to/fullchain.pem;
# replace with the IP address of your resolver
resolver [::1] 127.0.0.1;
proxy_pass_error_message on;
server {
server_name proxy-name.allycomm.com;
listen 993 ssl;
listen [::]:993 ssl;
protocol imap;
auth_http [::1]:/;
# From Dovecot (2024-01-04)
imap_capabilities IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE LITERAL+ AUTH=PLAIN;
}
}
___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
Re: IMAP Proxy with TLS Upstream Configuration
Hello!
On Sat, Jan 06, 2024 at 11:03:47AM -0800, Jeff Kletsky wrote:
> I believe I have properly configured nginx v1.24.0 (open source) for
> IMAP proxy on FreeBSD 14.0. I am, however, unable to establish a TLS
> connection to the upstream server.
>
> I have confirmed that I can connect to the proxy with TLS and that the
> auth server is called. The auth server returns the expected Auth-Server
> and Auth-Port. The upstream server is on a remote host with Dovecot
> running TLS on the standard port of 993. I can see the TCP handshake
> between the proxy and Dovecot on both machines, but nginx does not proceed.
>
> It eventually returns "* BAD internal server error" with the error log
> indicating a timeout
[...]
> I have confirmed using openssl s_client that the connection can be made
> from the host running nginx to the host at the expected IP address and port.
>
> Looking at the source, I did not see an option in the auth-header
> parsing related to using TLS upstream.
>
> Is there a way to use TLS for the IMAP upstream natively (without
> needing to configure a port with STARTTLS)?
Backend IMAP servers are expected to be plain text, not SSL/TLS.
Neither IMAPS nor IMAP with STARTTLS are supported for upstream
connections.
If you want to use SSL/TLS connections between nginx and backend
servers, consider configuring stream{} proxying on the same nginx
instance with "proxy_ssl on;" to handle SSL/TLS with the backend
servers for you, see http://nginx.org/r/proxy_ssl for details.
--
Maxim Dounin
http://mdounin.ru/
___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
