Welcome! Log In Create A New Profile

Advanced

SMTP proxy and authentication on backend

Fabio Grasso
May 04, 2020 05:30AM
Hello there,
I'm new to this mailing list, so hi everybody ;-)

I'm implementing a mail proxy based on nginx. I wrote an
authentication backend in LUA and it works fine.

With IMAP I've no problem, everything works fine.

With SMTP I'm facing the well noted "limitation" about the
authentication on the backend. I know that nginx doesn't pass username
and password when proxying SMTP connection (unlike what happens with
POP3 / IMAP) and this is creating problems for me.
My SMTP server is based on HCL Domino, I can configure it for accept
connections from nginx without relay check but this still creates a
security problem for me: I cannot prevent someone from sending e-mails
by declaring a sender other than the one they logged in with
(spoofing).

From what I understand the only thing that supports nginx is XCLIENT,
which however is not supported by HCL Domino (from what I found it
seems that it is supported only by postfix and derivatives).

I'm a bit surprised that nginx doesn't support autentication on SMTP
backend (at least with an option for enable or disable it), since this
limitation was reported 10 years ago (i.e. I've found this message:
http://mailman.nginx.org/pipermail/nginx/2010-February/019029.html)

I'm looking for solution and so I'm asking you if you have any suggestions.

I was thinking about two main option:

1) insert a postfix between my reverse proxy and my mail server. But
this will add some complexity and another (useless) hop.
Moreover I need to manage somehow sorting mail on postfix by domain
(the one that sends my authentication server in the Auth-Server /
Auth-Port header). Is there any way to pass this information to
postfix, for example by including it in XCLIENT?
I see that XCLIENT also supports DESTADDR and DESTPORT as attributes,
but it doesn't seem to me that there is any way to set nginx to use
them

2) I found some "patches" for nginx that add this functionality, for example:

https://github.com/guyguy333/nginx/commit/09ac17efa8cc28bf758d03ddafbccea663fa4779
https://github.com/Zauberzeilen/nginx-with-backend-smtp-auth


Are there experiences on this? Can they be considered stable?

It is not a problem to compile nginx with these changes, what worries
me however is that any changes in the source in the future may not
work with this patch and in fact risk of limiting myself the
possibility of keeping the version of nginx updated (with all the
consequences in case of major security patches)

Files touched are not so frequently changed on official nginx code:
src/mail/ngx_mail.h and src/mail/ngx_mail_proxy_module.c have the
last commit 5 years ago, but obviously I have no guarantee that they
will not be changed in the future...

2bis) this is a curiosity: why were these patches never included in
the nginx code?
I see that the I'm not the only one facing this limitation, there are
a lot of reference, like these:
http://mailman.nginx.org/pipermail/nginx/2008-April/004234.html
https://www.ruby-forum.com/topic/1045106
http://mailman.nginx.org/pipermail/nginx/2010-February/019028.html
http://mailman.nginx.org/pipermail/nginx/2010-April/020027.html
http://mailman.nginx.org/pipermail/nginx/2010-November/023555.html
http://mailman.nginx.org/pipermail/nginx-devel/2012-April/002074.html


Anyone has expierience with this? How have you solved?

Thanks,
Fabio
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

SMTP proxy and authentication on backend

Fabio Grasso May 04, 2020 05:30AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 74
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready