DNSBL with mail proxy

Pat Suwalski pat at suwalski.net
Thu Mar 31 05:23:24 UTC 2016


I started using nginx as a proxy for incoming mail, for DDoS protection 
and hiding of origin.

I have it set up as follows:

mail {
         server_name foo.bar.com;
         auth_http localhost:8080/auth-smtppass.php;

         server {
                 listen 25;
                 protocol smtp;
                 proxy on;
                 timeout 5s;
                 xclient off;
                 smtp_auth none;

And then I have a location handler that tells it where to actually go:

         location ~ .php$ {
                 add_header Auth-Server;
                 add_header Auth-Port 25;
                 return 200;

This works great, except that the real mail server ( in 
this example) doesn't see where the mail is actually coming from, and 
therefore loses its ability to apply the DNSBL.

One obvious way to use the DNSBL would be to have an actual auth script 
that does the DNSBL checking. However, it's really nice to have it all 
handled without calling out to php or perl.

I could also have a local postfix that does nothing but DNSBL and relay 
to the real server, but that seems like just another layer of complication.

Anyone have any creative ideas on how this could be implemented right in 
nginx? Maybe someone's written an auth script that does DNSBL?


More information about the nginx mailing list