IMAP servers (dovecot, cyrus...) rely on SASL authentication.
The SASL specs let the client requests a different identity than the one used for authentication.
3501 says : The authorization identity passed from the client to the
server during the authentication exchange is interpreted by the server
as the user name whose privileges the client is requesting.
proxy and Cyrus frontends in murder architecture use this to
authenticate with an admin account and request a user identity. It's
very useful to authenticate via proxies without to know the user's
Is there a way to let NGINX use
different identification and authentication ids to authenticate to the
remote imap server ? I can't figure out what to put in the AUTH-*
headers to do that.