Trying to use SMTP proxy, but there might be limitations?

Francis Daly francis at daoine.org
Mon Sep 21 11:51:17 UTC 2015 

On Sun, Sep 20, 2015 at 05:25:26PM -0700, Michael Shadle wrote:

Hi there,

This is all untested by me.

> To use headers/metadata from the incoming mail message to determine if
> delivery should be allowed based on the recipients of the message.

I think that that is not available when using the nginx SMTP (reverse) proxy.

You get one MAIL FROM address, plus one RCPT TO address each time that
your auth_http url is called.

All you can use is the SMTP Envelope data.

> Example: development/test environments,

That should be fine - one nginx mail server{} for dev, one for test.

> only allow whitelisted recipients to get messages.

That should be fine - you get each RCPT TO in turn, and your code decides
what Auth-Status to return for each one.

> However, I can only test and prove the concept for a single "To:
> destination" - if there are multiple recipients on the To: line, CC:
> or Bcc:, nginx still only seems to see one of them. I don't think this
> is only allowed in SMTP pipelining (which last I checked isn't
> supported in nginx)

Can you set up a test to watch the SMTP traffic that happens?

To:, Cc:, Bcc: are all mail client things. Whatever is talking SMTP to
your nginx SMTP server should send one MAIL FROM, then multiple lines
of RCPT TO, getting a response for each line sent.

> I'm not sure there is a way to make it work. It might simply not be supported.
> 
> Here's my config. It seems to pass things around properly and allow me
> to send "Auth-Status OK" or "Auth-Status Denied" and properly allow or
> deny the message. But it doesn't expand the recipient list.

For the SMTP server, there is no recipient list to expand.

(At least, in the context you refer to here.)

> I examined $_SERVER in PHP:
> 
>     [HTTP_AUTH_SMTP_FROM] => MAIL FROM:<from at address.com> SIZE=418
>     [HTTP_AUTH_SMTP_TO] => RCPT TO:<destination at address.com>
> ORCPT=rfc822;destination at address.com

Do you want *that* address to be delivered to? If so, "Auth-Status: OK".

After you do that, you should get another request for the next address
(I think).

> I was looking around to see if the body of the message or headers came
> in via stdin, but I can't find much documentation about the SMTP
> proxy. Also, I'm not sure ultimately it would help me, as I would have
> to somehow "ignore" the recipients that aren't allowed (which could be
> any combination, maybe only one is okay, maybe all are okay, maybe 3
> out of 5 are okay, etc)

Send the Auth-Status that you want, for each RCPT TO address that you
are given.

See what breaks.

> I guess at this point my question is ... any ideas?

What do your logs or "tcpdump" output say happens?

What do you want to happen instead?

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

More information about the nginx mailing list