SNI support in `mail` context (fixed formatting)

Maxim Dounin mdounin at
Mon Jul 6 17:31:50 UTC 2020


On Mon, Jul 06, 2020 at 10:17:31AM -0700, Denis Sh. wrote:

> So, when proxying SMTP/IMAP, is it possible to get the Server 
> Name that mail clients send as a part of Client Hello?

Currently no.

> Similar to Embedded Variables for ngx_http_ssl_module:
> $ssl_server_name
> returns the server name requested through SNI (1.7.0);
> I don't see these vars defined here

There is no variables in the mail module.

> Or should I use `stream` to proxy mail?
> Any ideas?

This depends on what you are trying to achieve.  For obvious 
reasons stream won't work for complex protocol-dependent things, 
such as STARTTLS or authentication.  But if the goal is to provide 
different certificates to different names requested via SNI in 
SMTPS and IMAPS connections, proxying via the stream module with 
ssl_preread ( might work for you.

Note though that in general there is no concept of name-based 
virtual hosts in mail protocols, and using name-based virtual 
hosts for SSL might not be a good idea either.  Also, status of 
SNI support by email clients varies, and "unknown" in most cases 

Maxim Dounin

More information about the nginx mailing list