Hello!
On Tue, Sep 19, 2023 at 12:28:49PM +0200, Arnout Engelen wrote:
> # HG changeset patch
> # User Arnout Engelen <arnout@bzzt.net>
> # Date 1695027670 -7200
> # Mon Sep 18 11:01:10 2023 +0200
> # Node ID 9606e589b9537495c0457383048ac6888be0e7b4
> # Parent daf8f5ba23d8e9955b22782d945f9c065f4b6baa
> Mail: allow auth to the proxy without auth to the backend
>
> Currently, when the client authenticates itself to the nginx
> mail proxy, the mail proxy also authenticates itself to the
> backend.
>
> I encountered a situation where I wanted the proxy to require
> authentication, and forward the mail to a (local/firewalled)
> mailserver that does not have authentication configured. I
> created the patch below to support that.
>
> I'm providing this patch primarily for feedback at this point:
> while it does work for my scenario and pass the nginx-tests,
> it likely needs additional cleanup and testing. I'd like your
> thoughs on whether this change makes sense in the first place,
> and whether this is generally a reasonable approach - if so I'll
> clean up the patch further.
>
> My approach is to allow the authentication server to return a
> 'Auth-Method: none' header, in which case the proxy will not
> attempt to authenticate to the backend but instead wait for
> the 'MAIL FROM' from the client.
>
> You'll notice I've added a 'proxy_auth_method'. The reason I didn't
> overwrite 'auth_method' is that 'auth_method' is also used to determine
> whether to confirm the authentication to the client. Is that acceptable
> from a binary compatibility perspective?
>
> Looking forward to hearing your thoughts!
From the description it is not clear why "proxy_smtp_auth off;"
(which is the default and implies that nginx won't try to
authenticate against SMTP backends) does not work for you. Could
you please elaborate?
[...]
--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel