Results 1 to 3 of 3

Thread: Need help hacking nginx to work with cyrus too

  1. #1
    Juzzy is offline Starter Member
    Join Date
    Sep 2008
    Posts
    2
    Rep Power
    6

    Default Need help hacking nginx to work with cyrus too

    We're trying to migrate from cyrus to zimbra, and I'm trying to hack up the nginx lookup to return cyrus info if it's in the cyru and not in zimbra, but zimbra if its in zimbra or in both, I made the following php script up on a web page then I modified:

    conf/nginx/includes/nginx.conf.web: zmroutehandlers domain.com:180/auth.php;
    conf/nginx/includes/nginx.conf.mail: auth_http domain.com:180/auth.php;

    and removed the other entries (and with some voodoo made it stick after restarts)

    Now the zimbra part works flawless, good and bad logins return the correct responses, but the problem is with the cyrus portion:

    I've enabled plaintext and tls support in cyrus, switched starttls from 'only' to 'on' inside nginx's conf/nginx/includes/nginx.conf.mail.imap

    but when I try plaintext or tls logins, I get the following error in cyrus:
    cyrus/imapd[13404]: badlogin: proxy.domain.com[192.168.1.102] PLAIN [SASL(-16): encryption needed to use mechanism: security flags do not match required]

    So my 2 big questions, is there a better way to do this?
    and any ideas on how to manipulate the outbound requests of nginx for plain and/or tls requests for cyrus?

    PHP Code:
    <?php

    if (!isset($_SERVER["HTTP_AUTH_USER"]) || !isset($_SERVER["HTTP_AUTH_PASS"])){
            
    fail();
    }

    $cyrus '192.168.0.2';
    $zimbraldap '172.21.0.24';
    $zimbraauth 'zmailbox01.domain.com';

    $username=$_SERVER["HTTP_AUTH_USER"];
    $userpass=$_SERVER["HTTP_AUTH_PASS"];
    $protocol=$_SERVER["HTTP_AUTH_PROTOCOL"];


    $port=110;
    if (
    $protocol=="imap") {
            
    $port=143;
    }
    if (
    $protocol=="smtp") {
            
    $port=25;
    }

    $ldapconfig['host'] = $cyrus;
    $ldapconfig['port'] = NULL;
    $ldapconfig['basedn'] = 'dc=domain,dc=com';

    //passthrough to zimbra first
    $auth ='';
    //print_r($_SERVER);
     
    foreach ($_SERVER as $k=>$v) {
            if (
    stristr($k,'_AUTH_')) {
                    
    $keys explode("_",$k);
                    if(isset(
    $keys[3])) 
                            
    $auth .= "Auth-$keys[2]-$keys[3]$v\r\n";
                    else
                            
    $auth .= "Auth-$keys[2]$v\r\n";
            }
    }

    $fd fsockopen($zimbraauth7072$errno$errstr30);
    $data .="GET /service/extension/nginx-lookup HTTP/1.0\r\n";
    $data .="Host: $zimbraauth\r\n";
    $data .= "$auth\r\n";

    fwrite($fd,$data);
    while (!
    feof($fd))
            
    $response .= fgets($fd1024);

    if (
    strstr($response,"Auth-Status: OK")) { // it's in zimbra
            
    header("Auth-Status: OK");
            
    $res explode("\r\n",$response);
            foreach (
    $res as $line) {
                    list(
    $name,$value) = explode(": ",$line);
                    if (
    strstr($name,"Auth"))
                            
    header("$name$value");
            }
            die();
    } else if (
    ldap_authenticate($username,$userpass,$ldapconfig)) { // its in cyrus
            
    header("Auth-Status: OK");
            
    header("Auth-Server: $cyrus");
            
    header("Auth-Port: $port");
            die();
    } else { 
    //bad login
            
    fail();
    }


    function 
    ldap_authenticate($user,$pass,$ldapconfig) {
        if (
    $user != "" && $pass != "") {
            
    $ds=ldap_connect($ldapconfig['host'],$ldapconfig['port']);
            
    $r ldap_search$ds$ldapconfig['basedn'], 'uid=' $user);
            if (
    $r) {
                
    $result ldap_get_entries$ds$r);
                if (
    $result[0]) {
                    if (@
    ldap_bind$ds$result[0]['dn'], $pass) ) {
                            return 
    true;
                    }
                }
            }
        }
        return 
    NULL;
    }


    function 
    fail(){
            
    header("Auth-Status: Invalid login or password");
            die();
    }
    Thanks,
    Steve

  2. #2
    Juzzy is offline Starter Member
    Join Date
    Sep 2008
    Posts
    2
    Rep Power
    6

    Default Purpose

    Just as a side note, the purpose of this:
    We have about 600 accounts to move to zimbra, and about 133 are there now.

    If this will work, we can point the mail.domain.com (where the old imap is) to the proxy and then move people at will and not have to resetup and import their outlook files, just install the zimbra outlook plugin at our leisure.

  3. #3
    Rich Graves is offline Outstanding Member
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    719
    Rep Power
    9

    Default

    Yes, Cyrus requires a security layer for SASL PLAIN auth as another user even if "plaintext" is allowed for end users. This has never bothered the primary maintainers because they want people using kerberos or cram-md5 anyway.

    Ther have long existed patches for Cyrus to change this behavior for connections on localhost. One popular source is Simon Mutter's RPMs. Shouldn't be difficult to alter the patces to allow insecure PLAIN from an arbitrary IP address.

    If you don't want to fool around with recompiling a lame-duck server, another option is to adding another proxy layer to the mix -- perdition or stunnel should allow translation from imap to imaps. I currently have a convoluted chain of 3 different proxies (because each of nginx, perdition, and stunnel had different issues with different clients and servers) accepting pop/tls, pop3s, imap/tls, and imaps connections to a legacy server name, opening the ssl envelope, and re-encrypting to zimbra. It's ugly but gets the job done even when user documentation & support fail to get clients fixed.

    Or, rethink your plan and do all users on a flag day. If you throw enough hardware at imapsync (yes, I mean imapsync, NOT cyrus or zimbra) and take advantage of incremental updates, you can do a lot of users in a hurry. I did 2000 users with over 400gb mail in 30 hours.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 42
    Last Post: 08-11-2006, 09:50 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •