Welcome! Log In Create A New Profile

smtps mail proxy

Forum List Message List New Topic Print View

173279834462

January 23, 2015 10:11AM

Registered: 9 years ago
Posts: 37

Hello,

I seek advice on configuring nginx as a mail proxy.

PREMISSES

The existing system is based upon postfix and dovecot.
The system delivers "n" virtual domains, say, mx.example_1.org,
mx.example_2.org, ..., mx.example_n.org, all behind a single IP.

There is no "shared" (Subject Alternative Name) certificate, because adding
or releasing a domain would require a new shared certificate, revoquing the
old one, and taxing the other domains for the novelty.---I refer to SAN certs
as "condocerts" (condominium certificates): feel free to use the term yourself.---
We are not a condo, and therefore, each domain carries its own set of TLS
certificates, managed autonomously.

Dovecot manages nicely its side of things, with
- per-domain "mail_location",
- per-domain password database,
- per-domain TLS certificates,
- SNI [http://wiki2.dovecot.org/SSL/SNIClientSupport].

Client authentication is entirely delegated to dovecot;
postfix uses SASL to dovecot's unix socket.

PROBLEM

Postfix does not support SNI.

OUR AIM

Our aim is to add SNI to port 465 (postfix) using nginx as transparent mail proxy.

The following is a mock-up configuration.

mail {

proxy on;
proxy_pass_error_message on;
proxy_buffer 4k; # 4k|8k
proxy_timeout 24h;
xclient on; # http://www.postfix.org/XCLIENT_README.html

ssl_dhparam /etc/vmail/dh2048;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # SNI supported
ssl_ciphers DHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:MAIL:10m;
#ssl_session_timeout =

#smtp_capabilities ...; # pass through wanted <-------
#smtp_auth ...; # pass through wanted <-------

server {
listen 465;
protocol smtp;
ssl on;
timeout 5s;
server_name mx.example_1.org;
#ssl_password_file /etc/vmail/example_1.org/passdb_keys; # to read .key certificates
ssl_certificate /etc/vmail/example_1.org/ssl/mx.crt;
ssl_certificate_key /etc/vmail/example_1.org/ssl/mx.key;
}

server {
listen 465;
protocol smtp;
ssl on;
timeout 5s;
server_name mx.example_2.org;
#ssl_password_file /etc/vmail/example_2.org/passdb_keys;
ssl_certificate /etc/vmail/example_2.org/ssl/mx.crt;
ssl_certificate_key /etc/vmail/example_2.org/ssl/mx.key;
}

# ...

server {
listen 465;
protocol smtp;
ssl on;
timeout 5s;
server_name mx.example_n.org;
#ssl_password_file /etc/vmail/example_n.org/passdb_keys;
ssl_certificate /etc/vmail/example_n.com/ssl/mx.crt;
ssl_certificate_key /etc/vmail/example_n.com/ssl/mx.key;
}

}

OPEN QUESTIONS

1. It is not clear how nginx would talk to postfix. One would expect the proxy to serve
on port, say, 4650, being the port exposed by the router, masking postfix on port 465,
but nginx does not seem to have a relevant configuration clause.

2. Nginx refuses to start-up, demanding "auth_http". However, we do not need to move
authentication to nginx. What we need is a transparent proxy: nginx should listen to
dovecot's unix socket, just like postfix does.

Thank you for your advice, if any.

Reply Quote

RSS