Need help hacking nginx to work with cyrus too

[Juzzy]

We're trying to migrate from cyrus to zimbra, and I'm trying to hack up the nginx lookup to return cyrus info if it's in the cyru and not in zimbra, but zimbra if its in zimbra or in both, I made the following php script up on a web page then I modified:

conf/nginx/includes/nginx.conf.web: zmroutehandlers domain.com:180/auth.php;
conf/nginx/includes/nginx.conf.mail: auth_http domain.com:180/auth.php;

and removed the other entries (and with some voodoo made it stick after restarts)

Now the zimbra part works flawless, good and bad logins return the correct responses, but the problem is with the cyrus portion:

I've enabled plaintext and tls support in cyrus, switched starttls from 'only' to 'on' inside nginx's conf/nginx/includes/nginx.conf.mail.imap

but when I try plaintext or tls logins, I get the following error in cyrus:
cyrus/imapd[13404]: badlogin: proxy.domain.com[192.168.1.102] PLAIN [SASL(-16): encryption needed to use mechanism: security flags do not match required]

So my 2 big questions, is there a better way to do this?
and any ideas on how to manipulate the outbound requests of nginx for plain and/or tls requests for cyrus?

PHP Code:

<?php

if (!isset($_SERVER["HTTP_AUTH_USER"]) || !isset($_SERVER["HTTP_AUTH_PASS"])){
        fail();
}

$cyrus = '192.168.0.2';
$zimbraldap = '172.21.0.24';
$zimbraauth = 'zmailbox01.domain.com';

$username=$_SERVER["HTTP_AUTH_USER"];
$userpass=$_SERVER["HTTP_AUTH_PASS"];
$protocol=$_SERVER["HTTP_AUTH_PROTOCOL"];


$port=110;
if ($protocol=="imap") {
        $port=143;
}
if ($protocol=="smtp") {
        $port=25;
}

$ldapconfig['host'] = $cyrus;
$ldapconfig['port'] = NULL;
$ldapconfig['basedn'] = 'dc=domain,dc=com';

//passthrough to zimbra first
$auth ='';
//print_r($_SERVER);
 foreach ($_SERVER as $k=>$v) {
        if (stristr($k,'_AUTH_')) {
                $keys = explode("_",$k);
                if(isset($keys[3])) 
                        $auth .= "Auth-$keys[2]-$keys[3]: $v\r\n";
                else
                        $auth .= "Auth-$keys[2]: $v\r\n";
        }
}

$fd = fsockopen($zimbraauth, 7072, $errno, $errstr, 30);
$data .="GET /service/extension/nginx-lookup HTTP/1.0\r\n";
$data .="Host: $zimbraauth\r\n";
$data .= "$auth\r\n";

fwrite($fd,$data);
while (!feof($fd))
        $response .= fgets($fd, 1024);

if (strstr($response,"Auth-Status: OK")) { // it's in zimbra
        header("Auth-Status: OK");
        $res = explode("\r\n",$response);
        foreach ($res as $line) {
                list($name,$value) = explode(": ",$line);
                if (strstr($name,"Auth"))
                        header("$name: $value");
        }
        die();
} else if (ldap_authenticate($username,$userpass,$ldapconfig)) { // its in cyrus
        header("Auth-Status: OK");
        header("Auth-Server: $cyrus");
        header("Auth-Port: $port");
        die();
} else { //bad login
        fail();
}


function ldap_authenticate($user,$pass,$ldapconfig) {
    if ($user != "" && $pass != "") {
        $ds=ldap_connect($ldapconfig['host'],$ldapconfig['port']);
        $r = ldap_search( $ds, $ldapconfig['basedn'], 'uid=' . $user);
        if ($r) {
            $result = ldap_get_entries( $ds, $r);
            if ($result[0]) {
                if (@ldap_bind( $ds, $result[0]['dn'], $pass) ) {
                        return true;
                }
            }
        }
    }
    return NULL;
}


function fail(){
        header("Auth-Status: Invalid login or password");
        die();
}

Thanks,
Steve

[Juzzy]

Just as a side note, the purpose of this:
We have about 600 accounts to move to zimbra, and about 133 are there now.

If this will work, we can point the mail.domain.com (where the old imap is) to the proxy and then move people at will and not have to resetup and import their outlook files, just install the zimbra outlook plugin at our leisure.

[Rich Graves]

Yes, Cyrus requires a security layer for SASL PLAIN auth as another user even if "plaintext" is allowed for end users. This has never bothered the primary maintainers because they want people using kerberos or cram-md5 anyway.

Ther have long existed patches for Cyrus to change this behavior for connections on localhost. One popular source is Simon Mutter's RPMs. Shouldn't be difficult to alter the patces to allow insecure PLAIN from an arbitrary IP address.

If you don't want to fool around with recompiling a lame-duck server, another option is to adding another proxy layer to the mix -- perdition or stunnel should allow translation from imap to imaps. I currently have a convoluted chain of 3 different proxies (because each of nginx, perdition, and stunnel had different issues with different clients and servers) accepting pop/tls, pop3s, imap/tls, and imaps connections to a legacy server name, opening the ssl envelope, and re-encrypting to zimbra. It's ugly but gets the job done even when user documentation & support fail to get clients fixed.

Or, rethink your plan and do all users on a flag day. If you throw enough hardware at imapsync (yes, I mean imapsync, NOT cyrus or zimbra) and take advantage of incremental updates, you can do a lot of users in a hurry. I did 2000 users with over 400gb mail in 30 hours.