How to pass connection's real IP through Nginx smtp proxy to Postfix/postscreen backend?

cyang at cyang at
Thu Jun 21 19:47:50 UTC 2018

I run Postfix 3.3.1 & Nginx 1.15.0

Both work great.

I'm beginning to experiment with putting Postfix (and eventually other) server behind Nginx (v 1.15.0) setup as a mail (SMTP) proxy.

Without the proxy, Postfix logs show an inbound connection to my real IP

	Jun 21 12:12:31 mailprox postfix/postscreen[55634]: CONNECT from []:43757 to []:25

The way nginx gets configured for smtp proxy, even if I'm *NOT* doing any auth is to direct the connection to a "fake" auth_http destination,

	mail {
	http {
		server {
		location ~ .php$ {
			add_header Auth-Server;
			add_header Auth-Port 33025;
			return 200;

Switching over, the proxy is set up to listen on the real IP


and passes to Postfix's postscreen which using the config above is listening on


What I see in the Postfix log is

	Jun 21 12:10:12 mailprox postfix/postscreen[55329]: CONNECT from []:31460 to []:33025
	Jun 21 12:10:12 mailprox postfix/postscreen[55329]: WHITELISTED []:31460

Mail does get delivered but postscreen is whitelisting the IP of the proxy,, and not using the real IP.

I need to somehow pass the Real-IP through to postscreen, and anything further downstream that'll need it.

For web server proxying I'd pass something like




to a downstream webserver listener.

What do I need for Postfix/Postscreen to correctly 'see' the Real IP?

A header added to the nginx config?  Some additional code in the auth_http? Something else?



More information about the nginx mailing list