smtps mail proxy
nginx-forum at nginx.us
Fri Jan 23 15:11:50 UTC 2015
I seek advice on configuring nginx as a mail proxy.
The existing system is based upon postfix and dovecot.
The system delivers "n" virtual domains, say, mx.example_1.org,
mx.example_2.org, ..., mx.example_n.org, all behind a single IP.
There is no "shared" (Subject Alternative Name) certificate, because adding
or releasing a domain would require a new shared certificate, revoquing the
old one, and taxing the other domains for the novelty.---I refer to SAN
as "condocerts" (condominium certificates): feel free to use the term
We are not a condo, and therefore, each domain carries its own set of TLS
certificates, managed autonomously.
Dovecot manages nicely its side of things, with
- per-domain "mail_location",
- per-domain password database,
- per-domain TLS certificates,
- SNI [http://wiki2.dovecot.org/SSL/SNIClientSupport].
Client authentication is entirely delegated to dovecot;
postfix uses SASL to dovecot's unix socket.
Postfix does not support SNI.
Our aim is to add SNI to port 465 (postfix) using nginx as transparent mail
The following is a mock-up configuration.
proxy_buffer 4k; # 4k|8k
xclient on; # http://www.postfix.org/XCLIENT_README.html
ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # SNI supported
#smtp_capabilities ...; # pass through wanted <-------
#smtp_auth ...; # pass through wanted
#ssl_password_file /etc/vmail/example_1.org/passdb_keys; # to read
1. It is not clear how nginx would talk to postfix. One would expect the
proxy to serve
on port, say, 4650, being the port exposed by the router, masking postfix on
but nginx does not seem to have a relevant configuration clause.
2. Nginx refuses to start-up, demanding "auth_http". However, we do not need
authentication to nginx. What we need is a transparent proxy: nginx should
dovecot's unix socket, just like postfix does.
Thank you for your advice, if any.
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,256248,256248#msg-256248
More information about the nginx