Simple SMTP proxy without an auth (pass AUTH command to backend)

[Francis Daly]

On Tue, Sep 29, 2020 at 11:24:14AM -0400, kay wrote:

Hi there,

> I'd like to use nginx to serve TLS and/or StartTLS connections only, the
> rest must be "proxy passed" without a modification to the backend.

"TLS-only" might work if you use "stream" rather than "mail", so that
nginx is the TLS-termination of an otherwise-opaque stream of traffic.

The rest of what you describe does not appear to match the nginx "smtp
proxy" model (which is, briefly, a tcp connection is authenticated and
then blindly forwarded to a back-end ip:port).

> Unfortunately I noticed
> https://www.ruby-forum.com/t/nginx-does-not-pass-smtp-auth-command-to-server/184290
> topic, where Maxim Dounin mentioned that it is impossible. That was 10 years
> ago, probably now the situation is changed? Is there an option, which I can
> use to pass the AUTH command?

I don't think so, no.

Probably no-one cared enough about this feature to design and implement
something in nginx; instead they either changed their own design to fit
the nginx model, or they used something other than nginx.

> P.S. Side question, I'd like to use a hostname in Auth-Server header:
> 
> location = /mail/auth {
>     add_header Auth-Status OK;
>     add_header Auth-Server hostname;
>     add_header Auth-Port   8025;
>     return 204;
> }
> 
> but nginx doesn't allow to do this. Is there an option or a workaround for
> this?

Option - no, not today.

Workaround - in that location{}, do something dynamic to learn the IP
address that you want this smtp connection to be passed to, and send
that IP address in the header.

*Someone* has to turn the hostname into an IP address. The nginx mail
proxy protocol is that "the server" does that, not "the client".

Possibly a patch to change that would be accepted, if it is shown to be
reliable and an improvement on what is there now.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org