Simple SMTP proxy without an auth (pass AUTH command to backend)

Francis Daly francis at
Tue Sep 29 22:32:31 UTC 2020

On Tue, Sep 29, 2020 at 11:24:14AM -0400, kay wrote:

Hi there,

> I'd like to use nginx to serve TLS and/or StartTLS connections only, the
> rest must be "proxy passed" without a modification to the backend.

"TLS-only" might work if you use "stream" rather than "mail", so that
nginx is the TLS-termination of an otherwise-opaque stream of traffic.

The rest of what you describe does not appear to match the nginx "smtp
proxy" model (which is, briefly, a tcp connection is authenticated and
then blindly forwarded to a back-end ip:port).

> Unfortunately I noticed
> topic, where Maxim Dounin mentioned that it is impossible. That was 10 years
> ago, probably now the situation is changed? Is there an option, which I can
> use to pass the AUTH command?

I don't think so, no.

Probably no-one cared enough about this feature to design and implement
something in nginx; instead they either changed their own design to fit
the nginx model, or they used something other than nginx.

> P.S. Side question, I'd like to use a hostname in Auth-Server header:
> location = /mail/auth {
>     add_header Auth-Status OK;
>     add_header Auth-Server hostname;
>     add_header Auth-Port   8025;
>     return 204;
> }
> but nginx doesn't allow to do this. Is there an option or a workaround for
> this?

Option - no, not today.

Workaround - in that location{}, do something dynamic to learn the IP
address that you want this smtp connection to be passed to, and send
that IP address in the header.

*Someone* has to turn the hostname into an IP address. The nginx mail
proxy protocol is that "the server" does that, not "the client".

Possibly a patch to change that would be accepted, if it is shown to be
reliable and an improvement on what is there now.

Good luck with it,

Francis Daly        francis at

More information about the nginx mailing list