Nginx as reverse proxy mail server host

Francis Daly francis at
Sat Jul 4 08:23:54 UTC 2020

On Fri, Jul 03, 2020 at 08:38:09AM -0400, siva.pannier wrote:

Hi there,

> My understanding from your suggestions is that you do not want me to make
> any corrections on the client code. I just need to make corrections on the
> Nginx configuration as per the blog link. 

Not quite, no.

You need to know which of the smtp-involving-ssl protocols you want your
client to speak.

You need to know which of the smtp-involving-ssl protocols your upstream
server speaks.

Then you decide how (and whether) to configure nginx to translate between
the two.

>From your report, your client already works with nginx using stream{}
and no ssl, because your client uses smtp+starttls and your upstream
server uses smtp+starttls.

So maybe there is nothing that you need to change.

> I am trying to understand that blog, going through again and again. so far I
> understand that it creates a SSL layer first through which it accepts the
> client request.


That document describes multiple possible ways of configuring things.

You will want to use exactly one way.

If you use the nginx mail{} with "ssl on", then what you suggest is

If you do not use "ssl on", then it is not correct.

> Client should point to my proxy host and one of the ports
> listed under "mail{... }". Proxy server identifies the upstream host based
> on the username came from the client request. Then the call is routed to
> actual upstream host based on the port. Please correct me if I am wrong
> anywhere.

When nginx is configured to proxy a message to an upstream server,
it needs to know which upstream server to talk to.

If you use nginx stream{}, you configure the upstream using proxy_pass. If
you use nginx mail{}, as this document does, you configure the upstream
indirectly using auth_http. auth_http refers to a http url that is
expected to return an indication of which server:port the connection
should be proxied to. How it does that is up to you to write -- maybe
it differs per user and per port; maybe it always gives the same response.

> My questions are 
> 1) Significance of this line "auth_http  
> localhost:9000/cgi-bin/nginxauth.cgi;" is just to have my own authorization
> logic and return the valid upstream server host based on the username. Is it
> correct?

> 2) I want to know what does this mean "smtp_auth  login plain cram-md5;".
> Does the connection to actual upstream happen here?

The connection to upstream cannot happen until after nginx knows which
upstream to connect to. And that comes from the auth_http response. The
auth_http request includes the details provided by the client in response
to the smtp_auth "challenge".

> Please help me on this and also share links supporting the above
> configuration.

There is a lot of information at

The "ngx_mail_*" modules are grouped together.

For a lot of this, if the documentation is unclear, you may be better
off building a test system and seeing what happens when you try things.

If that results in the unclear documentation being made clear, that
is good.

Good luck with it,

Francis Daly        francis at

More information about the nginx mailing list