Mail proxying

Detlef_R · May 31, 2015, 1:59am

Hi

I’m setting up nginx as a reverse proxy for a postfix / dovecot setup.

My imap server requires STARTTLS usage. Nginx seems to not issue
STARTTLS
command before forwarding users credentials.

Here is the error I found in /var/log/nginx/error.log

[error] 928#0: 20 upstream sent invalid response: " BAD [ALERT]
Plaintext
authentication not allowed without SSL/TLS, but your client did it
anyway.
If anyone was listening, the password was exposed.

I did not found anything in the documentation to ask nginx to issue
STARTTLS
command to the upstream server. Is there a way to achieve this ?

I did not tried pop3 yet, but I’m expecting the same annoyance. and the
same
answer; let me know if I’m wrong.

Posted at Nginx Forum:

dethegeek · May 31, 2015, 4:40pm

Hi,

Unfortunately not with Nginx. You could, however, use stunnel on the
backends to do this.

Kind Regards
Andrew

Posted at Nginx Forum:
mail proxying

nginx mailing list
[email protected]
nginx Info Page

–
Andrew H. (LinuxJedi)
Senior Developer Advocate
Nginx Inc.

dethegeek · June 1, 2015, 7:01am

Hi,

On 31/05/15 11:58, dethegeek wrote:

authentication not allowed without SSL/TLS, but your client did it anyway.

Try the wiki. Specifically

–
Steve H. BSc(Hons) MIITP

Linkedin: http://www.linkedin.com/in/steveholdoway
Skype: sholdowa

dethegeek · June 1, 2015, 1:52pm

Hi

Steve, thank you for your reply.

I already read the page you mentionned, and as I understand it, either
this
feature is missing, either it is not documented.

Andrew said TLS is not implemented, so I’ll follow his advice to
properly
workaround this limitation.

Posted at Nginx Forum:

dethegeek · June 1, 2015, 1:45pm

Hi

Thank you Andrew,

You confirmed what I’m afraid of.

I hope this feature will be implemented soon.

Posted at Nginx Forum:

dethegeek · June 1, 2015, 10:08pm

feature is missing, either it is not documented.

Andrew said TLS is not implemented, so I’ll follow his advice to properly
workaround this limitation.

Although I’ve never done this, the example is pretty specific for STARTTLS. I’ve
not known nginx docs to be incorrect.

The example is for STARTTLS at the client to NGINX server level. I
believe the question was for the NGINX server to upstream server level
and unfortunately NGINX does not currently support this and has no
configuration options for it.

Kind Regards

Andrew H. (LinuxJedi)
Senior Developer Advocate
Nginx Inc.

dethegeek · June 1, 2015, 10:01pm

HI

On 01/06/15 23:51, dethegeek wrote:

Posted at Nginx Forum:
Re: mail proxying

nginx mailing list
[email protected]
nginx Info Page
Although I’ve never done this, the example is pretty specific for
STARTTLS. I’ve not known nginx docs to be incorrect.

–
Steve H. BSc(Hons) MIITP

Linkedin: http://www.linkedin.com/in/steveholdoway
Skype: sholdowa

dethegeek · June 2, 2015, 7:48am

Hi

As I understood the example given in the documentation, it is for a TLS
session between a client and nginx. This is the next step in my
roadmap.
Right now, I’m focusing on the secure connection between nginx and the
backend servers.

It still would be interesting to implement whad I need directly in
nginx; As
I understand how nginx works with pop3 / imap / smtp protocols I guess
this
would be a reasonnable work.

Thank you Andrew and Steve.

Posted at Nginx Forum: