NGINX Mailproxy
Fabian Joël Flückiger
info at fabianflu.ch
Mon Feb 17 10:40:45 UTC 2020
Hello
I am trying to use nginx as reverse-mailproxy for multiple mailservers.Whenever I have a client which connects to the nginx-mailproxy via STARTLS or SSL, the NGINX passes a malformed LOGIN packets to the backend mailserver, per example:
(nginx = nginx, mails = backend mailserver, in the first case MailEnable, in the second case Dovecot)
nginx>5 LOGIN {18}
mails>+ go ahead
nginx>user at domain.tld {8}
mails>+ go ahead
nginx>PASSWORD
mails>BAD UNKNOWN Command
nginx>3 LOGIN {17}
mails> + OK
nginx> user at domain.tld {8}
mails> + OK
nginx>PASSWORD
mails>3 NO [AUTHENTICATIONFAILED] Authentication failed.
As you can see, nginx adds a suffix to the username, which lets the backendserver fail. Wireshark displays this additional data as {number}, I can also provide the hex variant of the packets.
NGINX also adds this suffix, if the username is passed via NGX auth header.
I've tested this with the nginx-full binary from the ubuntu repositories, as well as a self-compiled binary.
Used configuration:
server_name server.domain.tld;
auth_http url;
proxy on;
proxy_pass_error_message on;
imap_capabilities "IMAP4rev1" "UIDPLUS" "IDLE" "LITERAL +" "QUOTA" "SASL-IR" "ID" "ENABLE";
pop3_auth plain apop;
pop3_capabilities "LAST" "TOP" "USER" "PIPELINING" "UIDL";
smtp_capabilities "SIZE 31457280" ENHANCEDSTATUSCODES 8BITMIME DSN;
ssl_certificate /path/to/cert.crt;
ssl_certificate_key /path/to/privkey.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
error_log /var/log/nginx/mailerror.log info;
xclient on;
# POP3 #
server {
listen 143;
protocol imap;
starttls on;
imap_auth plain login;
auth_http_header X-Auth-Port 143;
auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
}
server {
protocol pop3;
listen 110;
starttls on;
pop3_auth plain;
proxy on;
auth_http_header X-Auth-Port 110;
auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
}
# IMAP #
server {
listen 993;
ssl on;
protocol imap;
imap_auth plain login;
auth_http_header X-Auth-Port 993;
auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
}
server {
protocol pop3;
listen 995;
ssl on;
pop3_auth plain;
auth_http_header X-Auth-Port 995;
auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
}
# SMTP #
server {
listen 25;
xclient off;
protocol smtp;
starttls on;
smtp_auth login plain cram-md5;
auth_http_header X-Auth-Port 25;
auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
auth_http_header X-Real-IP $remote_addr;
}
server {
listen 587;
xclient off;
protocol smtp;
starttls on;
smtp_auth login plain cram-md5;
auth_http_header X-Auth-Port 587;
auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
}
server {
listen 465;
xclient off;
protocol smtp;
ssl on;
smtp_auth login plain cram-md5;
auth_http_header X-Auth-Port 465;
auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
}
Is this a configuration-related issue? How can I fix this?
Thank you very much!
Fabian
Hello
I am trying to use nginx as reverse-mailproxy for multiple mailservers.
Whenever I have a client which connects to the nginx-mailproxy via STARTLS or SSL, the NGINX passes a malformed LOGIN packets to the backend mailserver, per example:
(nginx = nginx, mails = backend mailserver, in the first case MailEnable, in the second case Dovecot)
nginx>5 LOGIN {18}
mails>+ go ahead
nginx>user at domain.tld {8}
mails>+ go ahead
nginx>PASSWORD
mails>BAD UNKNOWN Command
nginx>3 LOGIN {17}
mails> + OK
nginx> user at domain.tld {8}
mails> + OK
nginx>PASSWORD
mails>3 NO [AUTHENTICATIONFAILED] Authentication failed.
As you can see, nginx adds a suffix to the username, which lets the backendserver fail. Wireshark displays this additional data as {number}, I can also provide the hex variant of the packets.
NGINX also adds this suffix, if the username is passed via NGX auth header.
I've tested this with the nginx-full binary from the ubuntu repositories, as well as a self-compiled binary.
Used configuration:
server_name server.domain.tld;
auth_http url;
proxy on;
proxy_pass_error_message on;
imap_capabilities "IMAP4rev1" "UIDPLUS" "IDLE" "LITERAL +" "QUOTA" "SASL-IR" "ID" "ENABLE";
pop3_auth plain apop;
pop3_capabilities "LAST" "TOP" "USER" "PIPELINING" "UIDL";
smtp_capabilities "SIZE 31457280" ENHANCEDSTATUSCODES 8BITMIME DSN;
ssl_certificate /path/to/cert.crt;
ssl_certificate_key /path/to/privkey.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
error_log /var/log/nginx/mailerror.log info;
xclient on;
# POP3 #
server {
listen 143;
protocol imap;
starttls on;
imap_auth plain login;
auth_http_header X-Auth-Port 143;
auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
}
server {
protocol pop3;
listen 110;
starttls on;
pop3_auth plain;
proxy on;
auth_http_header X-Auth-Port 110;
auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
}
# IMAP #
server {
listen 993;
ssl on;
protocol imap;
imap_auth plain login;
auth_http_header X-Auth-Port 993;
auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
}
server {
protocol pop3;
listen 995;
ssl on;
pop3_auth plain;
auth_http_header X-Auth-Port 995;
auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
}
# SMTP #
server {
listen 25;
xclient off;
protocol smtp;
starttls on;
smtp_auth login plain cram-md5;
auth_http_header X-Auth-Port 25;
auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
auth_http_header X-Real-IP $remote_addr;
}
server {
listen 587;
xclient off;
protocol smtp;
starttls on;
smtp_auth login plain cram-md5;
auth_http_header X-Auth-Port 587;
auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
}
server {
listen 465;
xclient off;
protocol smtp;
ssl on;
smtp_auth login plain cram-md5;
auth_http_header X-Auth-Port 465;
auth_http_header User-Agent "Nginx POP3/IMAP4 proxy";
}
Is this a configuration-related issue? How can I fix this?
Thank you very much!
Fabian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20200217/0bcd883e/attachment-0001.htm>
More information about the nginx
mailing list