FAQ

Page Discussion Edit History

ImapAuthenticateWithApachePhpScript

[edit] Using a php script on apache server as the auth backend

Start with the configuration from NginxImapProxyExample. For detail information about different configuration parameters, see the NginxMailCoreModule page.


  1. Your Proxy server for pop/imap is running on 192.168.1.1
  2. You have 2 backend pop/imap servers: 192.168.1.22 and 192.168.1.33
  3. You have a webserver that you will use for the authentication and redirection logic 192.168.1.44.
  4. The authentication script is /mail/auth.php

nginx.conf

user  nobody;
worker_processes  1;
error_log  logs/error.log  info;
pid        logs/nginx.pid;
 
events {
  worker_connections  1024;
  multi_accept on;
}
 
mail {
  auth_http  192.168.1.44:80/mail/auth.php;
  pop3_capabilities  "TOP"  "USER";
  imap_capabilities  "IMAP4rev1"  "UIDPLUS";
 
  server {
    listen     110;
    protocol   pop3;
    proxy      on;
  }
 
  server {
    listen     143;
    protocol   imap;
    proxy      on;
  }
}

/mail/auth.php

<?php
/*
Nginx sends headers as
Auth-User: somuser
Auth-Pass: somepass
On my php app server these are seen as
HTTP_AUTH_USER and HTTP_AUTH_PASS
*/
if (!isset($_SERVER["HTTP_AUTH_USER"] ) || !isset($_SERVER["HTTP_AUTH_PASS"] )){
  fail();
}
$username=$_SERVER["HTTP_AUTH_USER"] ;
$userpass=$_SERVER["HTTP_AUTH_PASS"] ;
$protocol=$_SERVER["HTTP_AUTH_PROTOCOL"] ;
// default backend port
$backend_port=110;
if ($protocol=="imap") {
  $backend_port=143;
}
if ($protocol=="smtp") {
  $backend_port=25;
}
// nginx likes ip address so if your
// application gives back hostname, convert it to ip address here
$backend_ip["mailhost01"] ="192.168.1.22";
$backend_ip["mailhost02"] ="192.168.1.33";
// Authenticate the user or fail
if (!authuser($username,$userpass)){
  fail();
  exit;
}
// Get the server for this user if we have reached so far
$userserver=getmailserver($username);
// Get the ip address of the server
// We are assuming that you backend returns hostname
// We try to get the ip else return what we got back
$server_ip=(isset($backend_ip[$userserver]))?$backend_ip[$userserver] :$userserver;
// Pass!
pass($server_ip, $backend_port);
 
//END
 
 
function authuser($user,$pass){
  // put your logic here to authen the user to any backend
  // you want (datbase, ldap, etc)
  // for example, we will just return true;
  return true;
}
 
function getmailserver($user){
  // put the logic here to get the mailserver
  // backend for the user. You can get this from
  // some database or ldap etc
  // dummy logic, all users that start with a,c,f and g get mailhost01
  // the others get mailhost02
  if in_array(substr($user,0,1), array("a", "c", "f", "g")){
    return "mailhost01";
  } else {
    return "mailhost02";
  }
}
 
function fail(){
  header("Auth-Status: Invalid login or password");
  exit;
}
 
function pass($server,$port){
  header("Auth-Status: OK");
  header("Auth-Server: $server");
  header("Auth-Port: $port");
  exit;
}