[PATCH] Mail: allow auth to the proxy without auth to the backend

Maxim Dounin mdounin at mdounin.ru
Tue Sep 19 16:34:45 UTC 2023


On Tue, Sep 19, 2023 at 12:28:49PM +0200, Arnout Engelen wrote:

> # HG changeset patch
> # User Arnout Engelen <arnout at bzzt.net>
> # Date 1695027670 -7200
> #      Mon Sep 18 11:01:10 2023 +0200
> # Node ID 9606e589b9537495c0457383048ac6888be0e7b4
> # Parent  daf8f5ba23d8e9955b22782d945f9c065f4b6baa
> Mail: allow auth to the proxy without auth to the backend
> Currently, when the client authenticates itself to the nginx
> mail proxy, the mail proxy also authenticates itself to the
> backend.
> I encountered a situation where I wanted the proxy to require
> authentication, and forward the mail to a (local/firewalled)
> mailserver that does not have authentication configured. I
> created the patch below to support that.
> I'm providing this patch primarily for feedback at this point:
> while it does work for my scenario and pass the nginx-tests,
> it likely needs additional cleanup and testing. I'd like your
> thoughs on whether this change makes sense in the first place,
> and whether this is generally a reasonable approach - if so I'll
> clean up the patch further.
> My approach is to allow the authentication server to return a
> 'Auth-Method: none' header, in which case the proxy will not
> attempt to authenticate to the backend but instead wait for
> the 'MAIL FROM' from the client.
> You'll notice I've added a 'proxy_auth_method'. The reason I didn't
> overwrite 'auth_method' is that 'auth_method' is also used to determine
> whether to confirm the authentication to the client. Is that acceptable
> from a binary compatibility perspective?
> Looking forward to hearing your thoughts!

>From the description it is not clear why "proxy_smtp_auth off;" 
(which is the default and implies that nginx won't try to 
authenticate against SMTP backends) does not work for you.  Could 
you please elaborate?


Maxim Dounin

More information about the nginx-devel mailing list