imap proxy to read email from mobile apps when zimbra is in private network

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
mrhbhuiyan1
Posts: 2
Joined: Fri Aug 19, 2022 1:23 pm

imap proxy to read email from mobile apps when zimbra is in private network

Post by mrhbhuiyan1 »

Hello Dear Administrator,

I have installed open source version, already tested incoming/outgoing mail internally and externally. However, zimbra is in private network which is not accessible from outside of my network. Therefore, can not access from mobile outlook.
To access mail from mobile outlook, I have configured imap proxy on separate host and created sub-domain which is open from internet. However, I am still unable to connect my zimbra mail through mobile outlook.
I have checked log on zimbra host as well as on imap proxy host, but nothing on the log, only mobile outlook showing bad user/passwprd.
Here is my imap proxy.conf
at /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
worker_connections 768;
# multi_accept on;
}

http {

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# SSL Settings
##



##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}


mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateW ... ePhpScript
#
# auth_http loge.ms.domain.com:143;
auth_http localhost/auth.php; // authentication configure is on auth.php, which is on /var/www/html in imap proxy host
server_name mail-proxy.domain.com; // imap proxy host server


imap_capabilities "IMAP4rev1" "UIDPLUS";

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
starttls on;
# enable STARTTLS for all mail ser

ssl_session_timeout 10m;
ssl_certificate /etc/ssl/certs/domain.com_chain.crt;
ssl_certificate_key /etc/ssl/private/domain.com.key;






server {
listen 25;
protocol smtp;
proxy on;
proxy_pass_error_message on;
}

server {
listen 143;
protocol imap;
proxy on;
proxy_pass_error_message on;
}
}


auth.php configurations...

root@spica:/var/www/html# cat auth.php
<?php
/*
NGINX sends headers as
Auth-User: somuser
Auth-Pass: somepass
On my php app server these are seen as
HTTP_AUTH_USER and HTTP_AUTH_PASS
*/
if (!isset($_SERVER["HTTP_AUTH_USER"] ) || !isset($_SERVER["HTTP_AUTH_PASS"] )){
fail();
}

$username=$_SERVER["HTTP_AUTH_USER"] ;
$userpass=$_SERVER["HTTP_AUTH_PASS"] ;
$protocol=$_SERVER["HTTP_AUTH_PROTOCOL"] ;

// default backend port

if ($protocol=="imap") {
$backend_port=143;
}

if ($protocol=="smtp") {
$backend_port=25;
}

// NGINX likes ip address so if your
// application gives back hostname, convert it to ip address here
$backend_ip["mailhost01"] ="172.16.8.5"; //// zimbra mail server ip
//$backend_ip["mailhost02"] ="";

// Authenticate the user or fail
if (!authuser($username,$userpass)){
fail();
exit;
}

// Get the server for this user if we have reached so far
$userserver=getmailserver($username);

// Get the ip address of the server
// We are assuming that you backend returns hostname
// We try to get the ip else return what we got back
$server_ip=(isset($backend_ip[$userserver]))?$backend_ip[$userserver] :$userserver;

// Pass!
pass($server_ip, $backend_port);

//END

function authuser($user,$pass){
// password characters encoded by nginx:
// " " 0x20h (SPACE)
// "%" 0x25h
// see nginx source: src/core/ngx_string.c:ngx_escape_uri(...)
$pass = str_replace('%20',' ', $pass);
$pass = str_replace('%25','%', $pass);

// put your logic here to authen the user to any backend
// you want (datbase, ldap, etc)
// for example, we will just return true;
return true;
}

function getmailserver($user){
// put the logic here to get the mailserver
// backend for the user. You can get this from
// some database or ldap etc
// dummy logic, all users that start with a,c,f and g get mailhost01
// the others get mailhost02
return "mailhost01";
}

function fail(){
header("Auth-Status: Invalid login or password");
exit;
}

function pass($server,$port){
header("Auth-Status: OK");
header("Auth-Server: $server");
header("Auth-Port: $port");
exit;
}

Is there anyone who did the same task what I have tried to do.......please guide me if you can....


Thanks in advance
Riad
Post Reply