I have shown in the last article Kolab/Roundcube with Squirrelmail’s IMAPProxy on CentOS6 how to easily configure an IMAPProxy for Roundcube, and explained the reasons for an IMAP Proxy as well.
Because I did investigate the Nginx IMAP Proxy as well, and got it to work after some workarounds, I want to share it here as well.
stunnel
With Nginx I had this problem: I was not able to connect to the Cyrus IMAP if /etc/imapd.conf had the line allowplaintext: no. The error you get in /var/log/nginx/error.log is: Login only available under a layer
I did not want to change it to allowplaintext: yes
See also this discussion on ServerFault: Can nginx be an mail proxy for a backend server that does not accept cleartext logins?
The solution is to use stunnel.
On CentOS6, you can run yum install stunnel. Unfortunately, there seems to be no init script installed, so that you can run it as a service.
I have taken the script from the source tar.gz file from stunnel, and saved it as /etc/init.d/stunnel:
#!/bin/sh # stunnel SysV startup file # Copyright by Michal Trojnara 2002,2007,2008 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin DAEMON=/usr/bin/stunnel PIDFILE=/var/run/stunnel/stunnel.pid # Source function library. . /etc/rc.d/init.d/functions test -f $DAEMON || exit 0 case "$1" in start) echo -n "Starting universal SSL tunnel: stunnel" daemon $DAEMON || echo -n " failed" echo "." ;; stop) echo -n "Stopping universal SSL tunnel: stunnel" if test -r $PIDFILE; then kill `cat $PIDFILE` 2> /dev/null || echo -n " failed" else echo -n " no PID file" fi echo "." ;; restart|force-reload) echo "Restarting universal SSL tunnel" $0 stop sleep 1 $0 start echo "done." ;; *) N=${0##*/} N=${N#[SK]??} echo "Usage: $N {start|stop|restart|force-reload}" >&2 exit 1 ;; esac exit 0 |
I have created this configuration file /etc/stunnel/stunnel.conf:
; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = TLSv1 ; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/run/stunnel/ setuid = nobody setgid = nobody pid = /stunnel.pid ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Use it for client mode client = yes ; foreground = yes ; Service-level configuration [imaps] accept = 8993 connect = 993 |
Some commands you need to run for configuring stunnel:
chmod a+x /etc/init.d/stunnel service start stunnel chkconfig stunnel on |
Nginx IMAP Proxy
Install with yum install nginx.
You have to provide a service for authentication. In my case, I let Cyrus to decide if the password is correct. So I just return the IP and port of the Cyrus server. I point to port 8993 which is the stunnel to port 993 of Cyrus.
This is my file /etc/nginx/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
error_log /var/log/nginx/error.log info;
mail {
auth_http localhost:81/auth;
proxy on;
imap_capabilities "IMAP4rev1" "UIDPLUS"; ## default
server {
listen 8143;
protocol imap;
}
}
http {
server {
listen localhost:81;
location = /auth {
add_header Auth-Status OK;
add_header Auth-Server 127.0.0.1; # backend ip
add_header Auth-Port 8993; # backend port
return 200;
}
}
} |
And the usual:
service nginx start chkconfig nginx on |
Roundcube configuration
You need to change the port that Roundcube connects to, instead of port 143 now use 8143 where your Nginx IMAP Proxy is running.
In file /etc/roundcubemail/config.inc.php:
$config['default_port'] = 8143;
I have added the initIMAPProxy.sh script to my TBits scripts: initIMAPProxy.sh
Just change the line at the top with up-imapproxy to nginx.