How to pass connection's real IP through Nginx smtp proxy to Postfix/postscreen backend?

Frank Liu gfrankliu at gmail.com
Thu Jun 21 20:58:47 UTC 2018 

Try proxy protocol.

On Thu, Jun 21, 2018 at 12:47 PM, <cyang at 123mail.org> wrote:

> I run Postfix 3.3.1 & Nginx 1.15.0
>
> Both work great.
>
> I'm beginning to experiment with putting Postfix (and eventually other)
> server behind Nginx (v 1.15.0) setup as a mail (SMTP) proxy.
>
> Without the proxy, Postfix logs show an inbound connection to my real IP
>
>         Jun 21 12:12:31 mailprox postfix/postscreen[55634]: CONNECT from
> [74.125.142.27]:43757 to [192.0.2.1]:25
>
> The way nginx gets configured for smtp proxy, even if I'm *NOT* doing any
> auth is to direct the connection to a "fake" auth_http destination,
>
>         mail {
>                 ...
>             auth_http 127.0.0.1:33001/dummy.php;
>                 ...
>         }
>         http {
>                 ...
>                 server {
>                 listen 127.0.0.1:33001;
>                 ...
>                 location ~ .php$ {
>                         add_header Auth-Server 127.0.0.1;
>                         add_header Auth-Port 33025;
>                         return 200;
>                 }
>                 ...
>         }
>
> Switching over, the proxy is set up to listen on the real IP
>
>         [192.0.2.1]:25
>
> and passes to Postfix's postscreen which using the config above is
> listening on
>
>         [127.0.0.1]:33025
>
> What I see in the Postfix log is
>
>         Jun 21 12:10:12 mailprox postfix/postscreen[55329]: CONNECT from
> [127.0.0.1]:31460 to [127.0.0.1]:33025
>         Jun 21 12:10:12 mailprox postfix/postscreen[55329]: WHITELISTED
> [127.0.0.1]:31460
>
> Mail does get delivered but postscreen is whitelisting the IP of the
> proxy, 127.0.0.1, and not using the real IP.
>
> I need to somehow pass the Real-IP through to postscreen, and anything
> further downstream that'll need it.
>
> For web server proxying I'd pass something like
>
>         X-Forwarded-For
>
> or
>
>         X-Real-IP
>
> to a downstream webserver listener.
>
> What do I need for Postfix/Postscreen to correctly 'see' the Real IP?
>
> A header added to the nginx config?  Some additional code in the
> auth_http? Something else?
>
> Cheers!
>
> Cy
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20180621/51198185/attachment.html>

More information about the nginx mailing list