SNI support in `mail` context (fixed formatting)
Maxim Dounin
mdounin at mdounin.ru
Mon Jul 6 17:31:50 UTC 2020
Hello!
On Mon, Jul 06, 2020 at 10:17:31AM -0700, Denis Sh. wrote:
> So, when proxying SMTP/IMAP, is it possible to get the Server
> Name that mail clients send as a part of Client Hello?
Currently no.
> Similar to Embedded Variables for ngx_http_ssl_module:
> $ssl_server_name
> returns the server name requested through SNI (1.7.0);
>
> I don't see these vars defined here https://github.com/nginx/nginx/blob/829c9d5981da1abc81dd7e2fb563da592203e54a/src/mail/ngx_mail_ssl_module.c#L229
There is no variables in the mail module.
> Or should I use `stream` to proxy mail?
>
> Any ideas?
This depends on what you are trying to achieve. For obvious
reasons stream won't work for complex protocol-dependent things,
such as STARTTLS or authentication. But if the goal is to provide
different certificates to different names requested via SNI in
SMTPS and IMAPS connections, proxying via the stream module with
ssl_preread (http://nginx.org/r/ssl_preread) might work for you.
Note though that in general there is no concept of name-based
virtual hosts in mail protocols, and using name-based virtual
hosts for SSL might not be a good idea either. Also, status of
SNI support by email clients varies, and "unknown" in most cases
(https://en.wikipedia.org/wiki/Comparison_of_email_clients).
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list