I have shown in the last article Kolab/Roundcube with Squirrelmail’s IMAPProxy on CentOS6 how to easily configure an IMAPProxy for Roundcube, and explained the reasons for an IMAP Proxy as well.

Because I did investigate the Nginx IMAP Proxy as well, and got it to work after some workarounds, I want to share it here as well.

stunnel
With Nginx I had this problem: I was not able to connect to the Cyrus IMAP if /etc/imapd.conf had the line allowplaintext: no. The error you get in /var/log/nginx/error.log is: Login only available under a layer
I did not want to change it to allowplaintext: yes

See also this discussion on ServerFault: Can nginx be an mail proxy for a backend server that does not accept cleartext logins?

The solution is to use stunnel.

On CentOS6, you can run yum install stunnel. Unfortunately, there seems to be no init script installed, so that you can run it as a service.

I have taken the script from the source tar.gz file from stunnel, and saved it as /etc/init.d/stunnel:

#!/bin/sh
# stunnel SysV startup file
# Copyright by Michal Trojnara 2002,2007,2008
 
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/bin/stunnel
PIDFILE=/var/run/stunnel/stunnel.pid
 
# Source function library.
. /etc/rc.d/init.d/functions
 
test -f $DAEMON || exit 0
 
case "$1" in
    start)
        echo -n "Starting universal SSL tunnel: stunnel"
        daemon $DAEMON || echo -n " failed"
        echo "."
        ;;
    stop)
        echo -n "Stopping universal SSL tunnel: stunnel"
        if test -r $PIDFILE; then
            kill `cat $PIDFILE` 2> /dev/null || echo -n " failed"
        else
            echo -n " no PID file"
        fi
        echo "."
        ;;
     restart|force-reload)
        echo "Restarting universal SSL tunnel"
        $0 stop
        sleep 1
        $0 start
        echo "done."
        ;;
    *)
        N=${0##*/}
        N=${N#[SK]??}
        echo "Usage: $N {start|stop|restart|force-reload}" >&2
        exit 1
        ;;
esac
 
exit 0

I have created this configuration file /etc/stunnel/stunnel.conf:

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = TLSv1
 
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/run/stunnel/
setuid = nobody
setgid = nobody
pid = /stunnel.pid
 
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
 
; Use it for client mode
client = yes
; foreground = yes
 
; Service-level configuration
 
[imaps]
accept  = 8993
connect = 993

Some commands you need to run for configuring stunnel:

chmod a+x /etc/init.d/stunnel
service start stunnel
chkconfig stunnel on

Nginx IMAP Proxy
Install with yum install nginx.

You have to provide a service for authentication. In my case, I let Cyrus to decide if the password is correct. So I just return the IP and port of the Cyrus server. I point to port 8993 which is the stunnel to port 993 of Cyrus.

This is my file /etc/nginx/nginx.conf

worker_processes  1;
 
events {
  worker_connections  1024;
}
 
error_log  /var/log/nginx/error.log info;
 
mail {
  auth_http  localhost:81/auth;
 
  proxy on;
  imap_capabilities  "IMAP4rev1"  "UIDPLUS"; ## default
  server {
    listen     8143;
    protocol   imap;
  }
}
 
http {
  server {
    listen localhost:81;
    location = /auth {
      add_header Auth-Status OK;
      add_header Auth-Server 127.0.0.1;  # backend ip
      add_header Auth-Port   8993;       # backend port
      return 200;
    }
  }
}

And the usual:

service nginx start
chkconfig nginx on

Roundcube configuration
You need to change the port that Roundcube connects to, instead of port 143 now use 8143 where your Nginx IMAP Proxy is running.

In file /etc/roundcubemail/config.inc.php:

$config['default_port'] = 8143;

I have added the initIMAPProxy.sh script to my TBits scripts: initIMAPProxy.sh
Just change the line at the top with up-imapproxy to nginx.

Kolab/Roundcube with Nginx IMAP Proxy on CentOS6
Tagged on: