Nginx mail proxy times out using IMAPs

[kwisatz]

Good day,

I'm trying to get nginx's imap proxy module to work with zimbra 5.0.18.

Connecting to a zimbra server without SSL works fine but trying to connect to a server running on port 993 returns the following error in the nginx error log:

Quote:

2010/05/10 12:17:25 [info] 20760#0: *16 upstream timed out (110: Connection timed out) while connecting to upstream, client: 212.186.14.47, server: 0.0.0.0:993, login: "d****.*****@student.uibk.ac.at", upstream: 138.232.1.235:993

I'm at a complete loss on what to do. I've found this post imap deadlock bug in 0.7.65 and patched the suggested line of code, even upgraded nginx to 0.8.36 but to no avail.

The zimbra log isn't very revealing either:

Quote:

2010-05-10 10:35:41,994 INFO [ImapSSLServer-163260] [] imap -
[138.232.1.168] connected
2010-05-10 10:36:41,994 INFO [ImapSSLServer-163260] [] ProtocolHandler
- Exception occurred while handling connection
2010-05-10 10:36:41,994 INFO [ImapSSLServer-163260] [] ProtocolHandler
- Handler exiting normally

Any clues on how to further debug this situation would be much appreciated!

[uxbod]

Welcome to the forums

Are you using the proxy that comes with Zimbra or have you just installed NGINX and attempting to get it to work ?

[kwisatz]

Quote:

Originally Posted by uxbod

Are you using the proxy that comes with Zimbra or have you just installed NGINX and attempting to get it to work ?

This is a separate installation of nginx on a remote server.
We would like to use it for a couple of other uses than the version coming with zimbra does.

[veronica]

You cannot use separate install of nginx as there are lot of config lookups done while processing user request. The nginx has to be part of zimbra setup.

[kwisatz]

Quote:

Originally Posted by veronica

You cannot use separate install of nginx as there are lot of config lookups done while processing user request. The nginx has to be part of zimbra setup.

So you cannot simply forward IMAPs requests, is that correct? I'm not doing any funky stuff, just forwarding the original IMAPs requests (from a thunderbird MUA) to various servers depending on the host part of users' mailing addresses.

Just plain standard IMAP and SSL.

[Klug]

Forward IMAP is possible with "standard" ngnix.

If you want it to forward in a "smart" way (depending on user's email address or anything else), you need to code it and put your code into your ngnix.

[kwisatz]

Quote:

Originally Posted by Klug

Forward IMAP is possible with "standard" ngnix.

Ok, good to know!

Quote:

Originally Posted by Klug

If you want it to forward in a "smart" way (depending on user's email address or anything else), you need to code it and put your code into your ngnix.

Yes, that is exactly what I did, using a php script to resolve the appropriate host to be queried.
Similar to this script: NginxImapAuthenticateWithApachePhpScript, but with a few little tweaks.
That part works flawlessly, it's just the SSL connection that doesn't work (i.e. times out)

[Klug]

As I asked on the french forum:
. are you able to connect to the IMAPS daemon on ZCS from the NGNIX server, using CLI ?
. are you using a selfsigned certificate on ZCS ?

Edit - Seen the answer on the french forum : no issue with CLI openssl connect and not self-signed cert on ZCS.

I suppose the issue is not SSL in NGNIX either (it works with https but not imaps) ?

[kwisatz]

Quote:

Originally Posted by Klug

I suppose the issue is not SSL in NGNIX either (it works with https but not imaps) ?

I haven't tried setting up any http(s) service on the nginx host, other than the one on localhost executing the php script that decides what server to forward to.

But connecting to the nginx machine, using imaps and port 993 works flawlessly if I direct nginx to forward that request to a mailserver that uses plain authentication, i.e. port 143 and no SSL whatsoever.

I do really believe that the issue lies at the SSL handshake done between the reverse-proxy and the zimbra server. However, if I were more proficient with tcpdump and maybe other tools, I had better luck debugging this situation.

[Klug]

Was ngnix compiled with ssl support?

That's why I was thinking of trying it against something else than imaps (such as https).