Nginx as reverse proxy mail server host

[Francis Daly]

On Thu, Jul 02, 2020 at 02:20:59PM -0400, siva.pannier wrote:

Hi there,

> I am trying to proxy a SMTP server on Nginx using the below configuration. I
> want all the client calls to hit the SMTP server via my proxy host. I want
> the SSL termination on nginx for the client calls to the SMTP Server.

Your config has nginx as an ssl-termination point, and nginx just sends
the decrypted traffic to its upstream.

The simplest way to prove that this works is probably to use a well-known
working client, such as "openssl s_client -connect".

> When I do the connection getting below exception even before the SSL
> handshake.. Please correct me if I am wrong anywhere. 

There are two ways of doing ssl with smtp. One is to establish a ssl
session, and then "speak" smtp through that -- that is what you have
configured your nginx server to expect here. The other is to establish
a smtp session, and then use the smtp command "starttls" to establish a
ssl session -- that is what you have configured your client to do.

Things fail because nginx is expecting to see a ssl session being
established, but the client is expecting to see a smtp session being
established.

> Without SSL directive & Properties in nginx.conf, it works fine and able to
> do SSL handshake as well. Not sure how it would be a SSL connection, without
> the SSL directive and SSL properties.

In this case, nginx is acting as a plain tcp forwarder; it does not know
or care what is in the packet, it just copies it.

Now your client connects to nginx, and nginx sends the content to your
upstream. Your client says "starttls" and negotiates the ssl session
with your upstream, not with nginx.

What you have can work; but you must make sure that your design has the
client and the server speaking the same protocol with each other.

An alternative way of proxying smtp is described at
https://docs.nginx.com/nginx/admin-guide/mail-proxy/mail-proxy/

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org