Op 21 okt. 2022 om 19:42 heeft Brendan Braybrook <brendan@tucows.com> het volgende geschreven:
On 2022-10-21 04:29, spi wrote:
Am 21.10.22 um 13:14 schrieb Amol Kulkarni: Nginx has an mail proxy for pop, imap, smtp. Can it be used instead of director ? Nginx can authenticate imap/smtp (and probably pop3) users. If you that, you can define a backend server the session is routed to. Currently I use that approach to authenticate users by client certificates and route them to the appriopriate backend (well, I only have one ;-).
we've recently switched to director, but we used to use nginx for this as well (we started using nginx before director existed). if you load balance the nginx proxies themselves, you can easily handle hundreds of thousands of concurrent imap connections with them.
in debian/ubuntu, i don't think the nginx packages include the mail proxy bits. iirc, we had to compile nginx ourselves with the mail proxy bits included.
the nginx config is pretty simple, you have to pre-specifiy the capabilities for each protocol and set up some sort of way for nginx to auth and get which backend node to send to as spi notes (in this example, it's an http call):
mail { auth_http localhost:8080/cgi-bin/auth; proxy_pass_error_message on;
pop3_capabilities "TOP" "UIDL" "RESP-CODES" "PIPELINING" "AUTH-RESP-CODE" "USER" "SASL PLAIN" "SASL PLAIN LOGIN"; server { listen 110; protocol pop3; proxy on; }
imap_capabilities "IMAP4rev1" "LITERAL+" "SASL-IR" "LOGIN-REFERRALS" "IDLE"; server { listen 143; protocol imap; proxy on; } }
localhost:8080/cgi-bin/auth then just auths the user/pass that nginx gets from the incoming request and returns success and the next hop for nginx to proxy to.
the only real difficulty is that you then need to write your own state system into your cgi auth script to ensure that users get sent to the same backend imap server if they already have an existing connection and have some way to safely fail over to other backend imap servers should one go down. (it's nice to have director handle this state stuff for you)
Although Director does not do health checks and down servers automatically. I was working on an open source program for that (as an alternative to Dovemon), but that plan is canceled with this announcement :)