SMTP AUTH with XCLIENT - impossible or just difficult?
mdounin at mdounin.ru
Fri Aug 6 05:56:38 MSD 2010
On Wed, Aug 04, 2010 at 08:02:29AM -0500, Karl Kraft wrote:
> I have been successful at using nginx as a front end to POP and
> IMAP servers to keep mailboxes spread across multiple machines.
> It also provided the added benefit of enabling SSL for privacy.
> I wrote a custom HTTP based authentication agent to direct to
> the proper mailbox, and everything seems to work great. Now I
> would like to do the same for SMTP connections, using nginx as
> both an SSL front end and director to my SMTP daemons.
> However, after implementing XCLIENT in the SMTP daemon, and
> adding a simple configuration to nginx, all is not well. After
> working my way through the mailing list and trying several
> configurations, I am left thinking that XCLIENT with
> authentication simply does not work. Has anyone ever managed to
> get this to work?
> SN: 220 explorer.karlkraft.com. - explorer.karlkraft.com
> (NFSmtp/2006q2.1) Authorized network 10.10.0.0/255.255.0.0
> NS: EHLO veyron.karlkraft.com
> SN: 250-/10.10.10.104
> SN: 250-EXPN
> SN: 250-NAME ADDR PROTO HELO
> SN: 250-SIZE
> SN: 250-AUTH CRAM-MD5 PLAIN
> SN: 250 HELP
Here actual problem happens. nginx doesn't really understand
multiline smtp replies, but usually handles them nicely once they
happen to be in single tcp packet.
Most likely your tcp daemon sends ehlo reply in multiple packets.
This isn't good from performance point of view but anyway should
be supported. Try the attached patch.
> The only way I am able to get close to a working connection is
> with the following two conditions:
> Turn XCLIENT off - this of course makes it impossible for the
> back end server to know the authenticated username or source IP
> Client must send HELO instead of EHLO - controlling all the
> clients is out of the question.
While XCLIENT is mostly unrelated - it forces nginx to use ESMTP
with backend, i.e. use EHLO. In your case EHLO reply is multiline
one and split across multiple packets. This in turn causes all
the troubles (and the same thing happens if client itself uses
More information about the nginx