[PATCH] Mail: allow auth to the proxy without auth to the backend

[Maxim Dounin]

Hello!

On Tue, Sep 19, 2023 at 12:28:49PM +0200, Arnout Engelen wrote:

> # HG changeset patch
> # User Arnout Engelen <arnout at bzzt.net>
> # Date 1695027670 -7200
> #      Mon Sep 18 11:01:10 2023 +0200
> # Node ID 9606e589b9537495c0457383048ac6888be0e7b4
> # Parent  daf8f5ba23d8e9955b22782d945f9c065f4b6baa
> Mail: allow auth to the proxy without auth to the backend
> 
> Currently, when the client authenticates itself to the nginx
> mail proxy, the mail proxy also authenticates itself to the
> backend.
> 
> I encountered a situation where I wanted the proxy to require
> authentication, and forward the mail to a (local/firewalled)
> mailserver that does not have authentication configured. I
> created the patch below to support that.
> 
> I'm providing this patch primarily for feedback at this point:
> while it does work for my scenario and pass the nginx-tests,
> it likely needs additional cleanup and testing. I'd like your
> thoughs on whether this change makes sense in the first place,
> and whether this is generally a reasonable approach - if so I'll
> clean up the patch further.
> 
> My approach is to allow the authentication server to return a
> 'Auth-Method: none' header, in which case the proxy will not
> attempt to authenticate to the backend but instead wait for
> the 'MAIL FROM' from the client.
> 
> You'll notice I've added a 'proxy_auth_method'. The reason I didn't
> overwrite 'auth_method' is that 'auth_method' is also used to determine
> whether to confirm the authentication to the client. Is that acceptable
> from a binary compatibility perspective?
> 
> Looking forward to hearing your thoughts!

>From the description it is not clear why "proxy_smtp_auth off;" 
(which is the default and implies that nginx won't try to 
authenticate against SMTP backends) does not work for you.  Could 
you please elaborate?

[...]

-- 
Maxim Dounin
http://mdounin.ru/