[PATCH] Add proxy_protocol option to mail listener

Maxim Dounin mdounin at mdounin.ru
Tue Jul 11 15:12:03 UTC 2017


Hello!

On Fri, Jul 07, 2017 at 03:38:02PM +0200, Kees Bos wrote:

> # HG changeset patch
> # User Kees Bos <cornelis.bos at gmail.com>
> # Date 1499422505 0
> #      Fri Jul 07 10:15:05 2017 +0000
> # Node ID bc79b2baf494aabb889de1e5dbe3184ff0cb9bfa
> # Parent  70e65bf8dfd7a8d39aae8ac3a209d426e6947735
> Add proxy_protocol option to mail listener
> 
> Add support for the mail handlers. This enables the use of an upstream
> loadbalancer/proxy (like haproxy) that connects with the proxy protocol.
> 
> The original ip (as exposed with the proxy protocol) will be used as
> parameter for the 'Client-IP' in the authentication call.
> 
> Example config:
> mail {
>     server_name mail.example.com;
>     auth_http   localhost:9000/;
> 
>     server {
>         listen 143 proxy_protocol;
>         protocol imap;
>     }
> }

I see at least the following problems in this patch:

1. The implementation is not complete compared to other modules 
(http, stream): it only tries to change the address passed as 
Client-IP in auth_http, but not the address used for logging 
and/or for XCLIENT.

2. It unconditionally trusts all clients who can connect to the 
port in question.  This doesn't look wise.

Just for the reference, here is a review of an earlier attempt to 
introduce proxy_protocol support in the mail proxy:

http://mailman.nginx.org/pipermail/nginx-devel/2016-November/009084.html

[...]

> @@ -55,6 +56,7 @@
>      ngx_mail_conf_ctx_t    *ctx;
>      ngx_str_t               addr_text;
>      ngx_uint_t              ssl;    /* unsigned   ssl:1; */
> +    unsigned                proxy_protocol:1;

Note that "/* unsigned   ssl:1; */" comment here means that if we 
are going to add other bitfield options, the ssl field should be 
changed to appthis should be changed to appropriate bitfield.

[...]

-- 
Maxim Dounin
http://nginx.org/


More information about the nginx-devel mailing list