SNI support in `mail` context (fixed formatting)

Maxim Dounin mdounin at mdounin.ru
Mon Jul 6 18:52:31 UTC 2020


Hello!

On Mon, Jul 06, 2020 at 11:07:56AM -0700, Denis Sh. wrote:

> Thank for your reply, Maxim. Sorry, I screwed with HTML formatting!
> 
>  What are the chances that you would look into adding these variable into mail module in upstream?
>  Looks like it's not very hard to do. Or SNI for mail is not considered to be a real thing?

There are no variables in the mail module, and it's unlikely we'll 
add any in the short-term perspective.

SNI server name as sent by the client can be passed to the 
auth_http script if needed, along this other Auth-SSL* headers, 
this should be simple enough.  But we are yet to see use cases 
where this is needed (and this is not going to help to provide 
different certificates for different names).

> >>> But if the goal is to provide
> >> different certificates to different names requested via SNI in
> >> SMTPS and IMAPS connections
> 
>  I'm afraid I need to support STARTTLS and either completely do AUTH on NGINX or backends.

So stream certainly won't work for you.  The question is still the 
same though: what are you trying to achieve.

>  Also, I wasn't able to find a reason why NGINX intentionally 
>  doesn't support passing thru the AUTH to the backend for SMTP, 
>  same as with IMAP/POP?

SMTP is considered to be a protocol to be handled locally, with 
authentication details passed via XCLIENT (if at all).  You don't 
need to proxy users to specific backend servers with their 
mailboxes, an SMTP server running locally (or on dedicated 
machine) would be enough.

There are pending patches to allow SMTP proxying to work more like 
other protocols if requested, though these needs someone to review 
them, and given low priority of mail proxying it is unknown when 
this is going to happen.

>  Yeah, I know that SNI for mail protocols is a "grey" area, 
>  still want to start implementing it.
> 
>  Denis
> >
> > 06.07.2020, 10:32, "Maxim Dounin" <mdounin at mdounin.ru>:
> >> Hello!
> >>
> >> On Mon, Jul 06, 2020 at 10:17:31AM -0700, Denis Sh. wrote:
> >>
> >>>  So, when proxying SMTP/IMAP, is it possible to get the Server
> >>>  Name that mail clients send as a part of Client Hello?
> >>
> >> Currently no.
> >>
> >>>  Similar to Embedded Variables for ngx_http_ssl_module:
> >>>  $ssl_server_name
> >>>  returns the server name requested through SNI (1.7.0);
> >>>
> >>>  I don't see these vars defined here https://github.com/nginx/nginx/blob/829c9d5981da1abc81dd7e2fb563da592203e54a/src/mail/ngx_mail_ssl_module.c#L229
> >>
> >> There is no variables in the mail module.
> >>
> >>>  Or should I use `stream` to proxy mail?
> >>>
> >>>  Any ideas?
> >>
> >> This depends on what you are trying to achieve. For obvious
> >> reasons stream won't work for complex protocol-dependent things,
> >> such as STARTTLS or authentication. But if the goal is to provide
> >> different certificates to different names requested via SNI in
> >> SMTPS and IMAPS connections, proxying via the stream module with
> >> ssl_preread (http://nginx.org/r/ssl_preread) might work for you.
> >>
> >> Note though that in general there is no concept of name-based
> >> virtual hosts in mail protocols, and using name-based virtual
> >> hosts for SSL might not be a good idea either. Also, status of
> >> SNI support by email clients varies, and "unknown" in most cases
> >> (https://en.wikipedia.org/wiki/Comparison_of_email_clients).
> >>
> >> --
> >> Maxim Dounin
> >> http://mdounin.ru/
> >> _______________________________________________
> >> nginx mailing list
> >> nginx at nginx.org
> >> http://mailman.nginx.org/mailman/listinfo/nginx
> > ,
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx mailing list