<html>Hello<br /><br />I am trying to use nginx as reverse-mailproxy for multiple mailservers.Whenever I have a client which connects to the nginx-mailproxy via STARTLS or SSL, the NGINX passes a malformed LOGIN packets to the backend mailserver, per example:<br />(nginx = nginx, mails = backend mailserver, in the first case MailEnable, in the second case Dovecot)<br /><br />nginx>5 LOGIN {18}<br />mails>+ go ahead<br />nginx><a rel="noopener" target="_blank" href="mailto:user@domain.tld">user@domain.tld</a> {8}<br />mails>+ go ahead<br />nginx>PASSWORD<br />mails>BAD UNKNOWN Command<br /><br />nginx>3 LOGIN {17}<br />mails> + OK<br />nginx> <a rel="noopener" target="_blank" href="mailto:user@domain.tld">user@domain.tld</a> {8}<br />mails> + OK<br />nginx>PASSWORD<br />mails>3 NO [AUTHENTICATIONFAILED] Authentication failed.<br /><br /><br />As you can see, nginx adds a suffix to the username, which lets the backendserver fail. Wireshark displays this additional data as {number}, I can also provide the hex variant of the packets.<br />NGINX also adds this suffix, if the username is passed via NGX auth header.<br />I've tested this with the nginx-full binary from the ubuntu repositories, as well as a self-compiled binary.<br /><br />Used configuration:<br /><br /><br /> server_name server.domain.tld;<br /> auth_http url;<br /> proxy on;<br /> proxy_pass_error_message on;<br /> imap_capabilities "IMAP4rev1" "UIDPLUS" "IDLE" "LITERAL +" "QUOTA" "SASL-IR" "ID" "ENABLE";<br /> pop3_auth plain apop;<br /> pop3_capabilities "LAST" "TOP" "USER" "PIPELINING" "UIDL";<br /> smtp_capabilities "SIZE 31457280" ENHANCEDSTATUSCODES 8BITMIME DSN;<br /> ssl_certificate /path/to/cert.crt;<br /> ssl_certificate_key /path/to/privkey.key;<br /> ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE<br /> ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;<br /> ssl_prefer_server_ciphers on;<br /> error_log /var/log/nginx/mailerror.log info;<br /> xclient on;<br /><br /># POP3 #<br /> server {<br /> listen 143;<br /> protocol imap;<br /> starttls on;<br /> imap_auth plain login;<br /> auth_http_header X-Auth-Port 143;<br /> auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";<br /> }<br /> server {<br /> protocol pop3;<br /> listen 110;<br /> starttls on;<br /> pop3_auth plain;<br /> proxy on;<br /> auth_http_header X-Auth-Port 110;<br /> auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";<br /> }<br /><br /># IMAP #<br /><br /> server {<br /> listen 993;<br /> ssl on;<br /> protocol imap;<br /> imap_auth plain login;<br /> auth_http_header X-Auth-Port 993;<br /> auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";<br /> }<br /> server {<br /> protocol pop3;<br /> listen 995;<br /> ssl on;<br /> pop3_auth plain;<br /> auth_http_header X-Auth-Port 995;<br /> auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";<br /> }<br /><br /># SMTP #<br /><br />server {<br /> listen 25;<br /> xclient off;<br /> protocol smtp;<br /> starttls on;<br /> smtp_auth login plain cram-md5;<br /> auth_http_header X-Auth-Port 25;<br /> auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";<br /> auth_http_header X-Real-IP $remote_addr;<br />}<br />server {<br /> listen 587;<br /> xclient off;<br /> protocol smtp;<br /> starttls on;<br /> smtp_auth login plain cram-md5;<br /> auth_http_header X-Auth-Port 587;<br /> auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";<br /><br />}<br />server {<br /> listen 465;<br /> xclient off;<br /> protocol smtp;<br /> ssl on;<br /> smtp_auth login plain cram-md5;<br /> auth_http_header X-Auth-Port 465;<br /> auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";<br /><br /><br />}<br />Is this a configuration-related issue? How can I fix this?<br />Thank you very much!<br /><br />Fabian<p>Hello<br /><br />I am trying to use nginx as reverse-mailproxy for multiple mailservers.<br />Whenever I have a client which connects to the nginx-mailproxy via STARTLS or SSL, the NGINX passes a malformed LOGIN packets to the backend mailserver, per example:<br />(nginx = nginx, mails = backend mailserver, in the first case MailEnable, in the second case Dovecot)<br /><br />nginx>5 LOGIN {18}<br />mails>+ go ahead<br />nginx>user@domain.tld {8}<br />mails>+ go ahead<br />nginx>PASSWORD<br />mails>BAD UNKNOWN Command<br /><br />nginx>3 LOGIN {17}<br />mails> + OK<br />nginx> user@domain.tld {8}<br />mails> + OK<br />nginx>PASSWORD<br />mails>3 NO [AUTHENTICATIONFAILED] Authentication failed.<br /><br /><br />As you can see, nginx adds a suffix to the username, which lets the backendserver fail. Wireshark displays this additional data as {number}, I can also provide the hex variant of the packets.<br />NGINX also adds this suffix, if the username is passed via NGX auth header.<br />I've tested this with the nginx-full binary from the ubuntu repositories, as well as a self-compiled binary.<br /><br />Used configuration:<br /><br /><br /> server_name server.domain.tld;<br /> auth_http url;<br /> proxy on;<br /> proxy_pass_error_message on;<br /> imap_capabilities "IMAP4rev1" "UIDPLUS" "IDLE" "LITERAL +" "QUOTA" "SASL-IR" "ID" "ENABLE";<br /> pop3_auth plain apop;<br /> pop3_capabilities "LAST" "TOP" "USER" "PIPELINING" "UIDL";<br /> smtp_capabilities "SIZE 31457280" ENHANCEDSTATUSCODES 8BITMIME DSN;<br /> ssl_certificate /path/to/cert.crt;<br /> ssl_certificate_key /path/to/privkey.key;<br /> ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE<br /> ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;<br /> ssl_prefer_server_ciphers on;<br /> error_log /var/log/nginx/mailerror.log info;<br /> xclient on;<br /><br /># POP3 #<br /> server {<br /> listen 143;<br /> protocol imap;<br /> starttls on;<br /> imap_auth plain login;<br /> auth_http_header X-Auth-Port 143;<br /> auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";<br /> }<br /> server {<br /> protocol pop3;<br /> listen 110;<br /> starttls on;<br /> pop3_auth plain;<br /> proxy on;<br /> auth_http_header X-Auth-Port 110;<br /> auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";<br /> }<br /><br /># IMAP #<br /><br /> server {<br /> listen 993;<br /> ssl on;<br /> protocol imap;<br /> imap_auth plain login;<br /> auth_http_header X-Auth-Port 993;<br /> auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";<br /> }<br /> server {<br /> protocol pop3;<br /> listen 995;<br /> ssl on;<br /> pop3_auth plain;<br /> auth_http_header X-Auth-Port 995;<br /> auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";<br /> }<br /><br /># SMTP #<br /><br />server {<br /> listen 25;<br /> xclient off;<br /> protocol smtp;<br /> starttls on;<br /> smtp_auth login plain cram-md5;<br /> auth_http_header X-Auth-Port 25;<br /> auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";<br /> auth_http_header X-Real-IP $remote_addr;<br />}<br />server {<br /> listen 587;<br /> xclient off;<br /> protocol smtp;<br /> starttls on;<br /> smtp_auth login plain cram-md5;<br /> auth_http_header X-Auth-Port 587;<br /> auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";<br /><br />}<br />server {<br /> listen 465;<br /> xclient off;<br /> protocol smtp;<br /> ssl on;<br /> smtp_auth login plain cram-md5;<br /> auth_http_header X-Auth-Port 465;<br /> auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";<br /><br /><br />}<br />Is this a configuration-related issue? How can I fix this?<br />Thank you very much!<br /><br />Fabian</p></html>