Trying to use SMTP proxy, but there might be limitations?

Francis Daly francis at
Mon Sep 21 11:51:17 UTC 2015

On Sun, Sep 20, 2015 at 05:25:26PM -0700, Michael Shadle wrote:

Hi there,

This is all untested by me.

> To use headers/metadata from the incoming mail message to determine if
> delivery should be allowed based on the recipients of the message.

I think that that is not available when using the nginx SMTP (reverse) proxy.

You get one MAIL FROM address, plus one RCPT TO address each time that
your auth_http url is called.

All you can use is the SMTP Envelope data.

> Example: development/test environments,

That should be fine - one nginx mail server{} for dev, one for test.

> only allow whitelisted recipients to get messages.

That should be fine - you get each RCPT TO in turn, and your code decides
what Auth-Status to return for each one.

> However, I can only test and prove the concept for a single "To:
> destination" - if there are multiple recipients on the To: line, CC:
> or Bcc:, nginx still only seems to see one of them. I don't think this
> is only allowed in SMTP pipelining (which last I checked isn't
> supported in nginx)

Can you set up a test to watch the SMTP traffic that happens?

To:, Cc:, Bcc: are all mail client things. Whatever is talking SMTP to
your nginx SMTP server should send one MAIL FROM, then multiple lines
of RCPT TO, getting a response for each line sent.

> I'm not sure there is a way to make it work. It might simply not be supported.
> Here's my config. It seems to pass things around properly and allow me
> to send "Auth-Status OK" or "Auth-Status Denied" and properly allow or
> deny the message. But it doesn't expand the recipient list.

For the SMTP server, there is no recipient list to expand.

(At least, in the context you refer to here.)

> I examined $_SERVER in PHP:
>     [HTTP_AUTH_SMTP_FROM] => MAIL FROM:<from at> SIZE=418
>     [HTTP_AUTH_SMTP_TO] => RCPT TO:<destination at>
> ORCPT=rfc822;destination at

Do you want *that* address to be delivered to? If so, "Auth-Status: OK".

After you do that, you should get another request for the next address
(I think).

> I was looking around to see if the body of the message or headers came
> in via stdin, but I can't find much documentation about the SMTP
> proxy. Also, I'm not sure ultimately it would help me, as I would have
> to somehow "ignore" the recipients that aren't allowed (which could be
> any combination, maybe only one is okay, maybe all are okay, maybe 3
> out of 5 are okay, etc)

Send the Auth-Status that you want, for each RCPT TO address that you
are given.

See what breaks.

> I guess at this point my question is ... any ideas?

What do your logs or "tcpdump" output say happens?

What do you want to happen instead?

Good luck with it,

Francis Daly        francis at

More information about the nginx mailing list