Welcome! Log In Create A New Profile

Advanced

NGINX Mailproxy

February 17, 2020 05:42AM
Hello

I am trying to use nginx as reverse-mailproxy for multiple mailservers.Whenever I have a client which connects to the nginx-mailproxy via STARTLS or SSL, the NGINX passes a malformed LOGIN packets to the backend mailserver, per example:
(nginx = nginx, mails = backend mailserver, in the first case MailEnable, in the second case Dovecot)

nginx>5 LOGIN {18}
mails>+ go ahead
nginx>user@domain.tld {8}
mails>+ go ahead
nginx>PASSWORD
mails>BAD UNKNOWN Command

nginx>3 LOGIN {17}
mails> + OK
nginx> user@domain.tld {8}
mails> + OK
nginx>PASSWORD
mails>3 NO [AUTHENTICATIONFAILED] Authentication failed.


As you can see, nginx adds a suffix to the username, which lets the backendserver fail. Wireshark displays this additional data as {number}, I can also provide the hex variant of the packets.
NGINX also adds this suffix, if the username is passed via NGX auth header.
I've tested this with the nginx-full binary from the ubuntu repositories, as well as a self-compiled binary.

Used configuration:


  server_name server.domain.tld;
  auth_http url;
  proxy on;
  proxy_pass_error_message on;
  imap_capabilities "IMAP4rev1" "UIDPLUS" "IDLE" "LITERAL +" "QUOTA" "SASL-IR" "ID" "ENABLE";
  pop3_auth plain apop;
  pop3_capabilities "LAST" "TOP" "USER" "PIPELINING" "UIDL";
  smtp_capabilities "SIZE 31457280" ENHANCEDSTATUSCODES 8BITMIME DSN;
  ssl_certificate /path/to/cert.crt;
  ssl_certificate_key /path/to/privkey.key;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
  ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
  ssl_prefer_server_ciphers on;
  error_log /var/log/nginx/mailerror.log info;
  xclient on;

#                       POP3                            #
  server {
    listen 143;
    protocol imap;
    starttls on;
    imap_auth plain login;
    auth_http_header X-Auth-Port 143;
    auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
  }
  server {
    protocol pop3;
    listen 110;
    starttls on;
    pop3_auth plain;
    proxy on;
    auth_http_header X-Auth-Port 110;
    auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
  }

#                       IMAP                            #

  server {
    listen 993;
    ssl on;
    protocol imap;
    imap_auth plain login;
    auth_http_header X-Auth-Port 993;
    auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
  }
  server {
    protocol pop3;
    listen 995;
    ssl on;
    pop3_auth plain;
    auth_http_header X-Auth-Port 995;
    auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
  }

#                       SMTP                            #

server {
    listen    25;
    xclient off;
    protocol  smtp;
    starttls on;
    smtp_auth login plain cram-md5;
    auth_http_header X-Auth-Port 25;
    auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
    auth_http_header X-Real-IP $remote_addr;
}
server {
    listen    587;
    xclient off;
    protocol  smtp;
    starttls on;
    smtp_auth login plain cram-md5;
    auth_http_header X-Auth-Port 587;
    auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";

}
server {
    listen    465;
    xclient off;
    protocol  smtp;
    ssl on;
    smtp_auth login plain cram-md5;
    auth_http_header X-Auth-Port 465;
    auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";


}
Is this a configuration-related issue? How can I fix this?
Thank you very much!

Fabian
Hello

I am trying to use nginx as reverse-mailproxy for multiple mailservers.
Whenever I have a client which connects to the nginx-mailproxy via STARTLS or SSL, the NGINX passes a malformed LOGIN packets to the backend mailserver, per example:
(nginx = nginx, mails = backend mailserver, in the first case MailEnable, in the second case Dovecot)

nginx>5 LOGIN {18}
mails>+ go ahead
nginx>user@domain.tld {8}
mails>+ go ahead
nginx>PASSWORD
mails>BAD UNKNOWN Command

nginx>3 LOGIN {17}
mails> + OK
nginx> user@domain.tld {8}
mails> + OK
nginx>PASSWORD
mails>3 NO [AUTHENTICATIONFAILED] Authentication failed.


As you can see, nginx adds a suffix to the username, which lets the backendserver fail. Wireshark displays this additional data as {number}, I can also provide the hex variant of the packets.
NGINX also adds this suffix, if the username is passed via NGX auth header.
I've tested this with the nginx-full binary from the ubuntu repositories, as well as a self-compiled binary.

Used configuration:


  server_name server.domain.tld;
  auth_http url;
  proxy on;
  proxy_pass_error_message on;
  imap_capabilities "IMAP4rev1" "UIDPLUS" "IDLE" "LITERAL +" "QUOTA" "SASL-IR" "ID" "ENABLE";
  pop3_auth plain apop;
  pop3_capabilities "LAST" "TOP" "USER" "PIPELINING" "UIDL";
  smtp_capabilities "SIZE 31457280" ENHANCEDSTATUSCODES 8BITMIME DSN;
  ssl_certificate /path/to/cert.crt;
  ssl_certificate_key /path/to/privkey.key;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
  ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
  ssl_prefer_server_ciphers on;
  error_log /var/log/nginx/mailerror.log info;
  xclient on;

#                       POP3                            #
  server {
    listen 143;
    protocol imap;
    starttls on;
    imap_auth plain login;
    auth_http_header X-Auth-Port 143;
    auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
  }
  server {
    protocol pop3;
    listen 110;
    starttls on;
    pop3_auth plain;
    proxy on;
    auth_http_header X-Auth-Port 110;
    auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
  }

#                       IMAP                            #

  server {
    listen 993;
    ssl on;
    protocol imap;
    imap_auth plain login;
    auth_http_header X-Auth-Port 993;
    auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
  }
  server {
    protocol pop3;
    listen 995;
    ssl on;
    pop3_auth plain;
    auth_http_header X-Auth-Port 995;
    auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
  }

#                       SMTP                            #

server {
    listen    25;
    xclient off;
    protocol  smtp;
    starttls on;
    smtp_auth login plain cram-md5;
    auth_http_header X-Auth-Port 25;
    auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
    auth_http_header X-Real-IP $remote_addr;
}
server {
    listen    587;
    xclient off;
    protocol  smtp;
    starttls on;
    smtp_auth login plain cram-md5;
    auth_http_header X-Auth-Port 587;
    auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";

}
server {
    listen    465;
    xclient off;
    protocol  smtp;
    ssl on;
    smtp_auth login plain cram-md5;
    auth_http_header X-Auth-Port 465;
    auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";


}
Is this a configuration-related issue? How can I fix this?
Thank you very much!

Fabian
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

NGINX Mailproxy

fabianflu February 17, 2020 05:42AM

Re: NGINX Mailproxy

Maxim Dounin February 17, 2020 09:58AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 104
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready