Nginx mail proxy - ensure sender match authenticated user
Maxim Dounin
mdounin at mdounin.ru
Thu May 20 13:28:57 UTC 2021
Hello!
On Thu, May 20, 2021 at 03:25:48AM -0400, mbrother wrote:
> I am a fan of nginx and I really like nginx mail proxy module. I'm having a
> problem between the authenticated account and the sender when using this
> module. For better understanding, please see my test below:
>
> root at nginx:~# telnet xx.xx.xx.xx 25
> Trying xx.xx.xx.xx ...
> Connected to xx.xx.xx.xx .
> Escape character is '^]'.
> 220 smtp.xxx.xxx ESMTP ready
> ehlo mail.example.com
> 250-smtp. xxx.xxx
> 250 AUTH LOGIN
> AUTH LOGIN
> 334 VXNlcm5hbWU6
> xxxxxxxxxxxxxxxxxxxxxxxxxx
> 334 UGFzc3dvcmQ6
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> 235 2.0.0 OK
> mail from: admin at gmail.com
> 250 OK <admin at gmail.com> Sender ok
> rcpt to: admin at gmail.com
> 250 OK <admin at gmail.com> Recipient ok
> data
> 354 Start mail input; end with <CRLF>.<CRLF>
> test
> test
> .
> 250 OK
> quit
> 221 Service closing transmission channel
> Connection closed by foreign host.
>
> As you have seen, after successful authentication, I can send email using
> any account and nginx skips checking if this account matches the previously
> authenticated account.
After successful authentication nginx establishes an opaque pipe
between the client and the backend server, and no longer controls
what the client does. It's up to the backend server to check if
the client is allowed to send relevant messages or not.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list