How to pass connection's real IP through Nginx smtp proxy to Postfix/postscreen backend?
cyang at 123mail.org
cyang at 123mail.org
Thu Jun 21 19:47:50 UTC 2018
I run Postfix 3.3.1 & Nginx 1.15.0
Both work great.
I'm beginning to experiment with putting Postfix (and eventually other) server behind Nginx (v 1.15.0) setup as a mail (SMTP) proxy.
Without the proxy, Postfix logs show an inbound connection to my real IP
Jun 21 12:12:31 mailprox postfix/postscreen[55634]: CONNECT from [74.125.142.27]:43757 to [192.0.2.1]:25
The way nginx gets configured for smtp proxy, even if I'm *NOT* doing any auth is to direct the connection to a "fake" auth_http destination,
mail {
...
auth_http 127.0.0.1:33001/dummy.php;
...
}
http {
...
server {
listen 127.0.0.1:33001;
...
location ~ .php$ {
add_header Auth-Server 127.0.0.1;
add_header Auth-Port 33025;
return 200;
}
...
}
Switching over, the proxy is set up to listen on the real IP
[192.0.2.1]:25
and passes to Postfix's postscreen which using the config above is listening on
[127.0.0.1]:33025
What I see in the Postfix log is
Jun 21 12:10:12 mailprox postfix/postscreen[55329]: CONNECT from [127.0.0.1]:31460 to [127.0.0.1]:33025
Jun 21 12:10:12 mailprox postfix/postscreen[55329]: WHITELISTED [127.0.0.1]:31460
Mail does get delivered but postscreen is whitelisting the IP of the proxy, 127.0.0.1, and not using the real IP.
I need to somehow pass the Real-IP through to postscreen, and anything further downstream that'll need it.
For web server proxying I'd pass something like
X-Forwarded-For
or
X-Real-IP
to a downstream webserver listener.
What do I need for Postfix/Postscreen to correctly 'see' the Real IP?
A header added to the nginx config? Some additional code in the auth_http? Something else?
Cheers!
Cy
More information about the nginx
mailing list