SNI support in `mail` context (fixed formatting)

Denis Sh. denok at yandex.com
Mon Jul 6 18:07:56 UTC 2020


Thank for your reply, Maxim. Sorry, I screwed with HTML formatting!

 What are the chances that you would look into adding these variable into mail module in upstream?
 Looks like it's not very hard to do. Or SNI for mail is not considered to be a real thing?

>>> But if the goal is to provide
>> different certificates to different names requested via SNI in
>> SMTPS and IMAPS connections

 I'm afraid I need to support STARTTLS and either completely do AUTH on NGINX or backends.

 Also, I wasn't able to find a reason why NGINX intentionally doesn't support passing thru the AUTH to the backend for SMTP, same as with IMAP/POP?

 Yeah, I know that SNI for mail protocols is a "grey" area, still want to start implementing it.

 Denis
>
> 06.07.2020, 10:32, "Maxim Dounin" <mdounin at mdounin.ru>:
>> Hello!
>>
>> On Mon, Jul 06, 2020 at 10:17:31AM -0700, Denis Sh. wrote:
>>
>>>  So, when proxying SMTP/IMAP, is it possible to get the Server
>>>  Name that mail clients send as a part of Client Hello?
>>
>> Currently no.
>>
>>>  Similar to Embedded Variables for ngx_http_ssl_module:
>>>  $ssl_server_name
>>>  returns the server name requested through SNI (1.7.0);
>>>
>>>  I don't see these vars defined here https://github.com/nginx/nginx/blob/829c9d5981da1abc81dd7e2fb563da592203e54a/src/mail/ngx_mail_ssl_module.c#L229
>>
>> There is no variables in the mail module.
>>
>>>  Or should I use `stream` to proxy mail?
>>>
>>>  Any ideas?
>>
>> This depends on what you are trying to achieve. For obvious
>> reasons stream won't work for complex protocol-dependent things,
>> such as STARTTLS or authentication. But if the goal is to provide
>> different certificates to different names requested via SNI in
>> SMTPS and IMAPS connections, proxying via the stream module with
>> ssl_preread (http://nginx.org/r/ssl_preread) might work for you.
>>
>> Note though that in general there is no concept of name-based
>> virtual hosts in mail protocols, and using name-based virtual
>> hosts for SSL might not be a good idea either. Also, status of
>> SNI support by email clients varies, and "unknown" in most cases
>> (https://en.wikipedia.org/wiki/Comparison_of_email_clients).
>>
>> --
>> Maxim Dounin
>> http://mdounin.ru/
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
> ,


More information about the nginx mailing list