Welcome! Log In Create A New Profile

Advanced

Re: Nginx as reverse proxy mail server host

Francis Daly
July 04, 2020 04:26AM
On Fri, Jul 03, 2020 at 08:38:09AM -0400, siva.pannier wrote:

Hi there,

> My understanding from your suggestions is that you do not want me to make
> any corrections on the client code. I just need to make corrections on the
> Nginx configuration as per the blog link.

Not quite, no.

You need to know which of the smtp-involving-ssl protocols you want your
client to speak.

You need to know which of the smtp-involving-ssl protocols your upstream
server speaks.

Then you decide how (and whether) to configure nginx to translate between
the two.

From your report, your client already works with nginx using stream{}
and no ssl, because your client uses smtp+starttls and your upstream
server uses smtp+starttls.

So maybe there is nothing that you need to change.

> I am trying to understand that blog, going through again and again. so far I
> understand that it creates a SSL layer first through which it accepts the
> client request.

Maybe.

That document describes multiple possible ways of configuring things.

You will want to use exactly one way.

If you use the nginx mail{} with "ssl on", then what you suggest is
correct.

If you do not use "ssl on", then it is not correct.

> Client should point to my proxy host and one of the ports
> listed under "mail{... }". Proxy server identifies the upstream host based
> on the username came from the client request. Then the call is routed to
> actual upstream host based on the port. Please correct me if I am wrong
> anywhere.

When nginx is configured to proxy a message to an upstream server,
it needs to know which upstream server to talk to.

If you use nginx stream{}, you configure the upstream using proxy_pass. If
you use nginx mail{}, as this document does, you configure the upstream
indirectly using auth_http. auth_http refers to a http url that is
expected to return an indication of which server:port the connection
should be proxied to. How it does that is up to you to write -- maybe
it differs per user and per port; maybe it always gives the same response.

> My questions are
> 1) Significance of this line "auth_http
> localhost:9000/cgi-bin/nginxauth.cgi;" is just to have my own authorization
> logic and return the valid upstream server host based on the username. Is it
> correct?

http://nginx.org/r/auth_http

> 2) I want to know what does this mean "smtp_auth login plain cram-md5;".
> Does the connection to actual upstream happen here?

http://nginx.org/r/smtp_auth

The connection to upstream cannot happen until after nginx knows which
upstream to connect to. And that comes from the auth_http response. The
auth_http request includes the details provided by the client in response
to the smtp_auth "challenge".

> Please help me on this and also share links supporting the above
> configuration.

There is a lot of information at http://nginx.org/en/docs/

The "ngx_mail_*" modules are grouped together.

For a lot of this, if the documentation is unclear, you may be better
off building a test system and seeing what happens when you try things.

If that results in the unclear documentation being made clear, that
is good.

Good luck with it,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Nginx as reverse proxy mail server host

siva.pannier July 02, 2020 02:20PM

Re: Nginx as reverse proxy mail server host

Francis Daly July 02, 2020 05:06PM

Re: Nginx as reverse proxy mail server host

siva.pannier July 03, 2020 08:38AM

Re: Nginx as reverse proxy mail server host

Francis Daly July 04, 2020 04:26AM

Re: Nginx as reverse proxy mail server host

siva.pannier July 06, 2020 12:22AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 61
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready