Trying to use SMTP proxy, but there might be limitations?
Francis Daly
francis at daoine.org
Mon Sep 21 11:51:17 UTC 2015
On Sun, Sep 20, 2015 at 05:25:26PM -0700, Michael Shadle wrote:
Hi there,
This is all untested by me.
> To use headers/metadata from the incoming mail message to determine if
> delivery should be allowed based on the recipients of the message.
I think that that is not available when using the nginx SMTP (reverse) proxy.
You get one MAIL FROM address, plus one RCPT TO address each time that
your auth_http url is called.
All you can use is the SMTP Envelope data.
> Example: development/test environments,
That should be fine - one nginx mail server{} for dev, one for test.
> only allow whitelisted recipients to get messages.
That should be fine - you get each RCPT TO in turn, and your code decides
what Auth-Status to return for each one.
> However, I can only test and prove the concept for a single "To:
> destination" - if there are multiple recipients on the To: line, CC:
> or Bcc:, nginx still only seems to see one of them. I don't think this
> is only allowed in SMTP pipelining (which last I checked isn't
> supported in nginx)
Can you set up a test to watch the SMTP traffic that happens?
To:, Cc:, Bcc: are all mail client things. Whatever is talking SMTP to
your nginx SMTP server should send one MAIL FROM, then multiple lines
of RCPT TO, getting a response for each line sent.
> I'm not sure there is a way to make it work. It might simply not be supported.
>
> Here's my config. It seems to pass things around properly and allow me
> to send "Auth-Status OK" or "Auth-Status Denied" and properly allow or
> deny the message. But it doesn't expand the recipient list.
For the SMTP server, there is no recipient list to expand.
(At least, in the context you refer to here.)
> I examined $_SERVER in PHP:
>
> [HTTP_AUTH_SMTP_FROM] => MAIL FROM:<from at address.com> SIZE=418
> [HTTP_AUTH_SMTP_TO] => RCPT TO:<destination at address.com>
> ORCPT=rfc822;destination at address.com
Do you want *that* address to be delivered to? If so, "Auth-Status: OK".
After you do that, you should get another request for the next address
(I think).
> I was looking around to see if the body of the message or headers came
> in via stdin, but I can't find much documentation about the SMTP
> proxy. Also, I'm not sure ultimately it would help me, as I would have
> to somehow "ignore" the recipients that aren't allowed (which could be
> any combination, maybe only one is okay, maybe all are okay, maybe 3
> out of 5 are okay, etc)
Send the Auth-Status that you want, for each RCPT TO address that you
are given.
See what breaks.
> I guess at this point my question is ... any ideas?
What do your logs or "tcpdump" output say happens?
What do you want to happen instead?
Good luck with it,
f
--
Francis Daly francis at daoine.org
More information about the nginx
mailing list