Welcome! Log In Create A New Profile


Anonymous auth to authenticated SMTP

Posted by dmcken 
Anonymous auth to authenticated SMTP
May 04, 2010 10:11PM
I should probably start by stating what I am trying to achieve.

[*] We have network equipment that can send unauthenticated e-mails (e.g. APC UPS, network power units and other embedded equipment). Most can't specify the port number so any solution that required a separate instance per account requires setting up ip aliases which will only add to management headaches.
[*] Our mail server requires authentication and we are not in a position to turn it off for certain ip ranges (google apps mail).
[*] Multiple accounts are used (upses use ups@domain.com, PDUs use pdu@domain.com, etc), i.e. various ips are mapped to different accounts. For the most part this mapping is arbitrary and does not follow a pre-defined pattern, the mapping is however stored in a database locally (one of the primary reasons most other solutions have been discarded).

In a nutshell I have a set of equipment that will connect to a proxy and need to be sent upstream authenticated appropriately depending on what information was given to the proxy by the auth server.

I am (hopefully) one step away from completing this setup. My config is as follows:

-- start nginx.conf --
user nginx nginx;
worker_processes 1;

error_log /var/log/nginx/error_log info;

events {
worker_connections 32;
use epoll;

mail {
auth_http <auth url>;

server {
listen x.x.x.x:25;
server_name server.name.com
protocol smtp;
smtp_auth none;
proxy on;
xclient on;
-- end nginx.conf --

-- start auth server success response --
HTTP/1.0 200 OK
Auth-Status: OK
Auth-Server: <non ssl-proxy>
Auth-Port: 25
Auth-User: newname
Auth-Pass: password
-- end auth server success response --

The above does not take the SSL that google also requires into account as right now I'm still trying to get authentication working, I'm using stunnel to deal with the SSL temporarily.

The config above doesn't work fully because gmail doesn't understand the xclient command. Some digging around lead me to the fact that gmail will accept XOAUTH or regular LOGIN. I've already found the appropriate sections in the ngx_mail_proxy_smtp_handler (ngx_mail_proxy_module.c) function, before I start:

[*] Has anyone else ever considered / done this (and hopefully saved me the trouble, I'm lazy).
[*] Should I modify the existing "xclient" flag or create a new one e.g. "smtp_auth_upstream".
[*] I have a (somewhat) working knowledge of SMTP LOGIN authentication but no knowledge about XOAUTH. Right now I'm leaning towards using simple LOGIN but I am not sure if there is some blatantly obvious problem I will be creating by doing so.

Thanks in Advance for any help provided.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 77
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready