> Op 21 okt. 2022 om 19:42 heeft Brendan Braybrook <bren...@tucows.com> het
> volgende geschreven:
>
> On 2022-10-21 04:29, spi wrote:
>>> Am 21.10.22 um 13:14 schrieb Amol Kulkarni:
>>> Nginx has an mail proxy for pop, imap, smtp.
>>> Can it be used instead of director ?
>> Nginx can authenticate imap/smtp (and probably pop3) users. If you that, you
>> can define a backend server the session is routed to. Currently I use that
>> approach to authenticate users by client certificates and route them to the
>> appriopriate backend (well, I only have one ;-).
>
> we've recently switched to director, but we used to use nginx for this as
> well (we started using nginx before director existed). if you load balance
> the nginx proxies themselves, you can easily handle hundreds of thousands of
> concurrent imap connections with them.
>
> in debian/ubuntu, i don't think the nginx packages include the mail proxy
> bits. iirc, we had to compile nginx ourselves with the mail proxy bits
> included.
>
> the nginx config is pretty simple, you have to pre-specifiy the capabilities
> for each protocol and set up some sort of way for nginx to auth and get which
> backend node to send to as spi notes (in this example, it's an http call):
>
> mail {
> auth_http localhost:8080/cgi-bin/auth;
> proxy_pass_error_message on;
>
> pop3_capabilities "TOP" "UIDL" "RESP-CODES" "PIPELINING" "AUTH-RESP-CODE"
> "USER" "SASL PLAIN" "SASL PLAIN LOGIN";
> server {
> listen 110;
> protocol pop3;
> proxy on;
> }
>
> imap_capabilities "IMAP4rev1" "LITERAL+" "SASL-IR" "LOGIN-REFERRALS" "IDLE";
> server {
> listen 143;
> protocol imap;
> proxy on;
> }
> }
>
> localhost:8080/cgi-bin/auth then just auths the user/pass that nginx gets
> from the incoming request and returns success and the next hop for nginx to
> proxy to.
>
> the only real difficulty is that you then need to write your own state system
> into your cgi auth script to ensure that users get sent to the same backend
> imap server if they already have an existing connection and have some way to
> safely fail over to other backend imap servers should one go down. (it's nice
> to have director handle this state stuff for you)
Although Director does not do health checks and down servers automatically. I
was working on an open source program for that (as an alternative to Dovemon),
but that plan is canceled with this announcement :)
