Nginx as reverse proxy mail server host

Francis Daly francis at daoine.org
Sat Jul 4 08:23:54 UTC 2020 

On Fri, Jul 03, 2020 at 08:38:09AM -0400, siva.pannier wrote:

Hi there,

> My understanding from your suggestions is that you do not want me to make
> any corrections on the client code. I just need to make corrections on the
> Nginx configuration as per the blog link. 

Not quite, no.

You need to know which of the smtp-involving-ssl protocols you want your
client to speak.

You need to know which of the smtp-involving-ssl protocols your upstream
server speaks.

Then you decide how (and whether) to configure nginx to translate between
the two.

>From your report, your client already works with nginx using stream{}
and no ssl, because your client uses smtp+starttls and your upstream
server uses smtp+starttls.

So maybe there is nothing that you need to change.

> I am trying to understand that blog, going through again and again. so far I
> understand that it creates a SSL layer first through which it accepts the
> client request.

Maybe.

That document describes multiple possible ways of configuring things.

You will want to use exactly one way.

If you use the nginx mail{} with "ssl on", then what you suggest is
correct.

If you do not use "ssl on", then it is not correct.

> Client should point to my proxy host and one of the ports
> listed under "mail{... }". Proxy server identifies the upstream host based
> on the username came from the client request. Then the call is routed to
> actual upstream host based on the port. Please correct me if I am wrong
> anywhere.

When nginx is configured to proxy a message to an upstream server,
it needs to know which upstream server to talk to.

If you use nginx stream{}, you configure the upstream using proxy_pass. If
you use nginx mail{}, as this document does, you configure the upstream
indirectly using auth_http. auth_http refers to a http url that is
expected to return an indication of which server:port the connection
should be proxied to. How it does that is up to you to write -- maybe
it differs per user and per port; maybe it always gives the same response.

> My questions are 
> 1) Significance of this line "auth_http  
> localhost:9000/cgi-bin/nginxauth.cgi;" is just to have my own authorization
> logic and return the valid upstream server host based on the username. Is it
> correct?

http://nginx.org/r/auth_http

> 2) I want to know what does this mean "smtp_auth  login plain cram-md5;".
> Does the connection to actual upstream happen here?

http://nginx.org/r/smtp_auth

The connection to upstream cannot happen until after nginx knows which
upstream to connect to. And that comes from the auth_http response. The
auth_http request includes the details provided by the client in response
to the smtp_auth "challenge".

> Please help me on this and also share links supporting the above
> configuration.

There is a lot of information at http://nginx.org/en/docs/

The "ngx_mail_*" modules are grouped together.

For a lot of this, if the documentation is unclear, you may be better
off building a test system and seeing what happens when you try things.

If that results in the unclear documentation being made clear, that
is good.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

More information about the nginx mailing list