smtps mail proxy

173279834462 nginx-forum at nginx.us
Fri Jan 23 15:11:50 UTC 2015 

Hello, 

I seek advice on configuring nginx as a mail proxy. 

PREMISSES

The existing system is based upon postfix and dovecot. 
The system delivers "n" virtual domains, say, mx.example_1.org, 
mx.example_2.org, ..., mx.example_n.org, all behind a single IP. 

There is no "shared" (Subject Alternative Name) certificate, because adding

or releasing a domain would require a new shared certificate, revoquing the
old one, and taxing the other domains for the novelty.---I refer to SAN
certs 
as "condocerts" (condominium certificates): feel free to use the term
yourself.---
We are not a condo, and therefore, each domain carries its own set of TLS 
certificates, managed autonomously. 

Dovecot manages nicely its side of things, with 
- per-domain "mail_location", 
- per-domain password database, 
- per-domain TLS certificates, 
- SNI [http://wiki2.dovecot.org/SSL/SNIClientSupport]. 

Client authentication is entirely delegated to dovecot; 
postfix uses SASL to dovecot's unix socket. 

PROBLEM

Postfix does not support SNI. 

OUR AIM

Our aim is to add SNI to port 465 (postfix) using nginx as transparent mail
proxy. 

The following is a mock-up configuration. 

mail {

   proxy on;
   proxy_pass_error_message on;
   proxy_buffer 4k; # 4k|8k
   proxy_timeout 24h;
   xclient on; # http://www.postfix.org/XCLIENT_README.html

   ssl_dhparam /etc/vmail/dh2048;
   ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # SNI supported
   ssl_ciphers DHE-RSA-AES256-SHA;
   ssl_prefer_server_ciphers on;
   ssl_session_cache shared:MAIL:10m;
   #ssl_session_timeout = 

   #smtp_capabilities  ...;                  # pass through wanted <-------
   #smtp_auth ...;                              # pass through wanted
<-------

   server {
      listen   465;
      protocol smtp;
      ssl on;
      timeout 5s;
      server_name mx.example_1.org;
      #ssl_password_file /etc/vmail/example_1.org/passdb_keys; # to read
.key certificates
      ssl_certificate          /etc/vmail/example_1.org/ssl/mx.crt;
      ssl_certificate_key  /etc/vmail/example_1.org/ssl/mx.key;
   }

   server {
      listen   465;
      protocol smtp;
      ssl on;
      timeout 5s;
      server_name mx.example_2.org;
      #ssl_password_file /etc/vmail/example_2.org/passdb_keys;
      ssl_certificate          /etc/vmail/example_2.org/ssl/mx.crt;
      ssl_certificate_key  /etc/vmail/example_2.org/ssl/mx.key;
   }

   # ...

   server {
      listen   465;
      protocol smtp;
      ssl on;
      timeout 5s;
      server_name mx.example_n.org;
      #ssl_password_file /etc/vmail/example_n.org/passdb_keys;
      ssl_certificate          /etc/vmail/example_n.com/ssl/mx.crt;
      ssl_certificate_key  /etc/vmail/example_n.com/ssl/mx.key;
   }

}


OPEN QUESTIONS

1. It is not clear how nginx would talk to postfix. One would expect the
proxy to serve
on port, say, 4650, being the port exposed by the router, masking postfix on
port 465, 
but nginx does not seem to have a relevant configuration clause. 

2. Nginx refuses to start-up, demanding "auth_http". However, we do not need
to move 
authentication to nginx. What we need is a transparent proxy: nginx should
listen to 
dovecot's unix socket, just like postfix does. 

Thank you for your advice, if any.

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,256248,256248#msg-256248

More information about the nginx mailing list