ImapAuthenticateWithEmbeddedPerlScript
[edit] Using nginx-embedded-perl module on the same server as the imap/pop proxy as the auth backend
Note: this solution will block entire nginx worker when reading user information from DB and therefore not recommended for real use.
- Note2: This solution is being used at at ISP with 35000+ mailboxes for almost 2 years now fine. If you want shameful plug, the ISP is Worldsoft ([1] )
Start with the configuration from [NginxImapProxyExample] . For detail information about different configuration parameters, see the [NginxMailCoreModule] page.
Configure nginx with embedded perl and mail
./configure --with-http_perl_module --with-mail
nginx/conf/nginx.conf
user nobody; worker_processes 1; error_log logs/error.log info; pid logs/nginx.pid; events { worker_connections 1024; multi_accept on; } http { perl_modules perl/lib; perl_require mailauth.pm; server { location /auth { perl mailauth::handler; } } } mail { auth_http 127.0.0.1:80/auth; pop3_capabilities "TOP" "USER"; imap_capabilities "IMAP4rev1" "UIDPLUS"; server { listen 110; protocol pop3; proxy on; } server { listen 143; protocol imap; proxy on; } }
The ultrafast nginx based authentifier. nginx/perl/lib/mailauth.pm
package mailauth; use nginx; use DBI; my $dsn="DBI:mysql:database=DBNAME;host=HOSTNAME"; our $dbh=DBI->connect_cached($dsn, 'dbusername', 'dbpass', {AutoCommit => 1}); our $sth=$dbh->prepare("select password,mail_server from mailaccounts where username=? limit 1"); our $auth_ok; our $mail_server_ip={}; our $protocol_ports={}; $mail_server_ip->{'mailhost01'}="192.168.1.22"; $mail_server_ip->{'mailhost02'}="192.168.1.33"; $protocol_ports->{'pop3'}=110; $protocol_ports->{'imap'}=143; sub handler { my $r = shift; $auth_ok=0; $sth->execute($r->header_in("Auth-User")); my $hash=$sth->fetchrow_hashref(); # assuming that the query results password and mail_server # assuming that the password is in crypt format if (crypt($r->header_in("Auth-Pass"), $hash->{'password'}) eq $r->header_in("Auth-Pass")){ $auth_ok=1; } if ($auth_ok==1){ $r->header_out("Auth-Status", "OK") ; $r->header_out("Auth-Server", $mail_server_ip->{$hash->{'mail_server'}}); $r->header_out("Auth-Port", $protocol_ports->{$r->header_in("Auth-Protocol")}); } else { $r->header_out("Auth-Status", "Invalid login or password") ; } $r->send_http_header("text/html"); return OK; } 1; __END__