Feature requests

Christian Rößner christian at roessner.email
Sat Oct 30 09:25:23 UTC 2021


Hello,

some pre information:

I started using Nginx as proxy for mail. Currently I have the following setup:

ngin-conf: mail { }
-----------------------------------------------------------------------------
server_name mail.roessner-net.de;
auth_http http://localhost.localdomain:8180/authmail;

proxy_pass_error_message on;

ssl_certificate /etc/ssl/letsencrypt/cert/star.roessner-net.de-fullchain.crt;
ssl_certificate_key /etc/ssl/letsencrypt/private/star.roessner-net.de.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

imap_capabilities "IMAP4rev1" "LITERAL+" "SASL-IR" "LOGIN-REFERRALS" "ID" "ENABLE" "IDLE" "NAMESPACE";
smtp_capabilities "SIZE 104857600" ENHANCEDSTATUSCODES 8BITMIME DSN SMTPUTF8 CHUNKING;

resolver 127.0.0.1;

server {
    listen 127.0.0.1:465 ssl;
    listen 192.168.0.2:465 ssl;
    listen 134.255.226.248:465 ssl;
    listen [::1]:465 ssl;
    listen [2a05:bec0:28:1:134:255:226:248]:465 ssl;
    protocol smtp;
    xclient on;
    smtp_auth login plain;
    error_log /var/log/nginx/smtp.log info;
    auth_http_header X-Auth-Port "465";
}

server {
    listen 127.0.0.1:587;
    listen 192.168.0.2:587;
    listen 134.255.226.248:587;
    listen [::1]:587;
    listen [2a05:bec0:28:1:134:255:226:248]:587;
    protocol smtp;
    xclient on;
    smtp_auth login plain;
    starttls on;
    error_log /var/log/nginx/smtp.log info;
    auth_http_header X-Auth-Port "587";
}

server {
    listen 127.0.0.1:143;
    listen 192.168.0.2:143;
    listen 134.255.226.248:143;
    listen [::1]:143;
    listen [2a05:bec0:28:1:134:255:226:248]:143;
    protocol imap;
    #proxy_protocol on;
    imap_auth login plain;
    starttls on;
    error_log /var/log/nginx/imap.log info;
    auth_http_header X-Auth-Port "143";
}

server {
    listen 127.0.0.1:993 ssl;
    listen 192.168.0.2:993 ssl;
    listen 134.255.226.248:993 ssl;
    listen [::1]:993 ssl;
    listen [2a05:bec0:28:1:134:255:226:248]:993 ssl;
    protocol imap;
    #proxy_protocol on;
    imap_auth login plain;
    error_log /var/log/nginx/imap.log info;
    auth_http_header X-Auth-Port "993";
}
-----------------------------------------------------------------------------

I started an open source proof of concept auth server project here:

https://gitlab.roessner-net.de/croessner/authserv

It uses the auth header to authenticate to an OpenLDAP server and replies the required server and port stuff.

This works very nicles by using a stunnel.conf between Nginx and the main mail server backends:

-----------------------------------------------------------------------------
[imaps]
accept = 127.0.0.1:9931
client = yes
connect = mail.roessner-net.de:9932
cert = /etc/ssl/letsencrypt/cert/star.roessner-net.de-fullchain.crt
key = /etc/ssl/letsencrypt/private/star.roessner-net.de.key
CAfile = /etc/pki/tls/certs/ca-bundle.crt
verify = 2

[submission]
accept = 127.0.0.1:5871
client = yes
connect = 127.0.0.1:5872
cert = /etc/ssl/letsencrypt/cert/star.roessner-net.de-fullchain.crt
key = /etc/ssl/letsencrypt/private/star.roessner-net.de.key
CAfile = /etc/pki/tls/certs/ca-bundle.crt
verify = 2
-----------------------------------------------------------------------------

So the mechanism is: Clients connect to Nginx. That authenticates plain with the help of the authserv process. Retrieves information and connects plain again to stunnel which in turn connects TLS to the backends. (I know that I currently use all this on a single system, but I evaluate it for distributed systems in different firewall zones).


Now come my questions :-)

1. It would really be awsome, if someone could implment auth_http in that way that it also accepts https.

2. It would also be very nice, if the server {} blocks could use a client SSL certificate to there backends. Why is this important? If I want to speak haproxy with Dovecot, the connection must be secured. Else the Dovecot server does not accept the login process from Nginx. With the current implementation, it is not possible to keep the original source address and source port from the clients outside. For Postfix servers it works in plain, but it requires to set sasl security options in that way that it accept plain text auth. Even if using XCLIENT here.

Summary for the request:

1. Having SSL for auth_http, example: auth_http https://some.auth.serv:443/authmail
2. Have client SSL from server{} to backend to have HAproxy protocol working.

I know that there are not many people yet, using Nginx as proxy for mail, but I guess that might change, if the missing security features would exist. My part is to enhance the auth serv project, so people can use it, if they want. It's really at the beginning.

Thanks a lot for reading and I thank you in advance.

Christian 
-- 
Rößner-Network-Solutions
Zertifizierter ITSiBe / CISO
Karl-Bröger-Str. 10, 36304 Alsfeld
Fax: +49 6631 78823409, Mobil: +49 171 9905345
USt-IdNr.: DE225643613, https://roessner.website
PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2132 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20211030/a655a2fd/attachment.bin>


More information about the nginx-devel mailing list