Eric Radman : a Journal

Using Nginx to Provide SSL Access for POP3

Nginx includes a very nice set of proxy modules for common mail protocols that provides a means of proving an SSL-tunnel to simple mail daemons that speak clear-text such as solid-pop3d. These modules are not compiled in the Nginx base install, but they are enabled if you install Nginx from ports. The following addition to nginx.conf will enable the pop3s to pop proxy:

mail {
    server_name       vm.eradman.com;
    auth_http         localhost:9000;

    proxy               on;
    ssl_protocols           TLSv1 SSLv3;
    ssl_certificate         /etc/mail/certs/vm.eradman.com.crt;
    ssl_certificate_key     /etc/mail/certs/vm.eradman.com.key;

    pop3_auth         plain apop cram-md5;

    server {
        protocol    pop3;
        listen      995;
        ssl         on;
        pop3_auth   plain;
    }
}

While debugging the following line may also prove useful information

error_log /var/log/nginx-error.log info;

The only manual assembly required is to establish a mechanism for

auth_http to use. Nginx will issue an HTTP GET to this service to request the parameters for the backend connection. Unfortunately Nginx doesn't have CGI support, so I resorted to writing a short script to be launched by inetd
#!/bin/sh
# mailauth - Nginx mail director for inetd

server=127.0.0.1

while read header
do
    line="$(echo $header | tr -d '\r')"
    case $line in
        "Auth-Protocol: pop3") port=110;;
        "Auth-Protocol: imap") port=143;;
        "Auth-Protocol: smtp") port=25;;
        "") break
    esac
done

print "HTTP/1.1 200 OK\r"
print "Content-type: text/plain\r"
print "Auth-Status: OK\r"
print "Auth-Server: ${server}\r"
print "Auth-Port: ${port}\r"
print "\r"
echo OK

This shell script returns 127.0.0.1 as the authentication server and a port number appropriate for each local service. Run it from inetd by making the following config changes

# /etc/services
mailauth        9000/tcp                # nginx mail proxy
# /etc/inetd.conf
pop3            stream  tcp     nowait  root    /usr/sbin/popa3d        popa3d
mailauth        stream  tcp     nowait  root    /var/www/cgi-bin/mailauth mailauth

Last updated on November 26, 2016