[PATCH] Mail: added PROXY PROTOCOL support

Maxim Dounin mdounin at mdounin.ru
Mon Jan 18 16:01:28 UTC 2021 

Hello!

On Sat, Jan 16, 2021 at 07:38:49PM +0300, Murad Mamedov wrote:

> First of all, ignore patch in first mail, I don't use mercurial on
> daily basis, and my neomutt screwed the patch. Second mail in thread
> contains just patch and it seems to be correct.
> 
> I wanted to address few other things on the subject. I started my way
> from
> http://mailman.nginx.org/pipermail/nginx-devel/2016-November/009083.html,
> however decisions done there I found incorrect. Author tried to jump
> right into XCLIENT from PROXY PROTOCOL. In proposed implementation proxy
> protocol is handled in the begining of connections. Since XCLIENT gets
> its address from ngx_connection_s, it will get automatically downstream
> provided address of client.
> 
> In the same thread, there was questions on how to deal with
> "real_ip_header" and "set_real_ip_from". As I mentioned in the original
> description to the patch, one may need these in case of HTTP protocol,
> which is very flexible, with tons of applications behind that may demand
> presense of real ip address in different places/headers. For ancient mail
> protocols, it is not the case. They are very strict, very few
> applications that implement it, probably Postfix, Exim and Dovecot be
> the only practical implementations. And they do support proxy protocol
> out of the box. So I could not find real reason to apply "real_ip"
> thing. With proposed implementation, it just worked out of the box, with
> minimum configuration. The only thing which could be added if need is
> the overriding of "destination address" of proxy protocol (i.e. address
> which client reached). For now I didn't see where it could be useful in
> mentioned above mail applications. Client address, yes, we do pass,
> server address ¯\_(ツ)_/¯, who cares.

The main problem the "real_ip thing" is expected to address is 
that whithout set_real_ip_from restricted set of addresses to 
accept IP address from you are open to IP spoofing.

Most recent relevant discussion about "why one should never trust 
X-Forwarded-For addresses and what to do with the fact that many 
don't understand it" can be found in the thread here:

http://mailman.nginx.org/pipermail/nginx/2021-January/060319.html

Mail proxying is indeed much simplier than http, yet the question 
is still here: how to ensure that "listen ... proxy_protocol;" is 
only configured to accept client IP addresses from trusted 
sources.

Blindly assuming that anyone who used "listen ... proxy_protocol;" 
in the configuration took care and restricted access to the 
listening socket in question on the network level might not be a 
good idea.  Especially given it works differently in both http and 
stream modules.  Rather, I would like to see it equivalent to how 
it is implemented in the stream module with "set_real_ip_from" 
(http://nginx.org/en/docs/stream/ngx_stream_realip_module.html).

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx-devel mailing list