Request for some smtp example with and without auth


#1

Dear all,

For pop and imap its pretty clear and I have documented on the wiki.

Can someone please state a short example on how nginx smtp proxy works
with
a smtp server.
The documentation on this is very sparse, If you can forward me to the
right
direction, I will write myself the documentation on the wiki.

Withougt authenticatin (MX)

  • Is it possible to mutiplex to different real smtp servers (If not, its
    fine, LVS can do that job)

  • Is is possible to do something with the header before forwarding the
    request to the real smtp sever. (How can real smtp server do RBL checks
    if
    the IP address is local)

  • What can nginx do before sending the connection the the smtp server
    (Can
    it change/add some headers, can in pass the mail through a filter)?

With Authentication
Same questions as above. A short example (even in pseudo code) will be
very
helpful.

What to look out on the real smtp server?
Does the actual IP goes to the real smtp server?

etc

thanks and best regards

Atif G.


#2

Atif G. wrote:

Withougt authenticatin (MX)

  • Is it possible to mutiplex to different real smtp servers (If not, its
    fine, LVS can do that job)

Nginx send request by http to defined in config server and this server
can return ip of
differend upstreams. So load balancing can be done by this “auth”
server.

  • Is is possible to do something with the header before forwarding the
    request to the real smtp sever. (How can real smtp server do RBL checks
    if the IP address is local)

Nginx can say to real smtp server about client’s ip via XCLIENT command:
http://www.postfix.org/XCLIENT_README.html
xclient also can be used with patched exim:
http://cebka.pp.ru/blog/patch-exim-xclient

Also RBL check can be performed by nginx+http server.
Example of such server is:
http://cebka.pp.ru/hg/nginx-smtp-policy
(works with pathed libevent: http://cebka.pp.ru/blog/libevent_txt.patch)

  • What can nginx do before sending the connection the the smtp server
    (Can it change/add some headers, can in pass the mail through a filter)?

No, nginx can’t change message.

With Authentication
Same questions as above. A short example (even in pseudo code) will be
very helpful.

Auth server works as for pop3/smtp. Additional header in response can be
added for bad replays

  • Auth-Status - it used as smtp error code.

May be the main reason to use nginx as smtp auth proxy - to share auth
server with pop3/imap.

What to look out on the real smtp server?
Does the actual IP goes to the real smtp server?

MTA can know client’s IP also from XCLIENT command.


#3

Anton,

Thanks for your replies,
They are most useful (and you will be credited in the wiki entry)

Let me try these now and come back to you.

best regards


#4

Anton,

If I correctly undrestood,

  1. nginx as smtp proxy is useful when using smtp auth. (to dispatch to
    different backends)
  2. nginx as smtp proxy is useful when not using smtp auth. (to do ip
    based
    checks)

please confirm.
thanks and best regards

Atif


#5

Hello!

On Sun, Apr 05, 2009 at 01:30:34AM +0400, Anton Y. wrote:

nginx can be used for load balancing between different servers with MTA,
but for load-balancing only better to use something like IPVS (in Linux)
or pf (in BSD).

No, you are somewhat wrong here. As smtp proxy with auth nginx is
really very usefull to move load away from traditional
process-per-connection smtp servers (until user is authenticated).
This saves lots of resources when you have many invalid
connections (e.g. initiated by malware, bruteforce attacks etc.).

This may not be an issue unless you run big mail server
though.

not adversed in EHLO reply.
Yes.

Support for smtp pipelining may be found here:
http://mdounin.ru/hg/nginx-mail

Maxim D.


#6

Does anyone have a example config of SMTP without Auth they could post
in this thread? I am just trying to get going a SMTP Relay Proxy to a
internal MTAs from external connections. Or could please point me in the
correct direction.
Cheers

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,786,1267#msg-1267


#7

Atif G. wrote:

If I correctly undrestood,

  1. nginx as smtp proxy is useful when using smtp auth. (to dispatch to
    different backends)

IMHO nginx as smtp proxy with auth useful only to reuse auth server
created for pop/imap proxy.

For pop3/imap nginx need for proxing different users to different
backend (where mail stored).
In smtp message can be send via random server.

nginx can be used for load balancing between different servers with MTA,
but for load-balancing
only better to use something like IPVS (in Linux) or pf (in BSD).

  1. nginx as smtp proxy is useful when not using smtp auth. (to do ip
    based checks)

Without auth (incoming mail) nginx can be used to save resources if only
ip not in RBL proxied
to servers with MTA.

But I don’t know is current nginx version used anywhere in production as
smtp proxy without
auth. IMHO it not ready for production, because of lack smtp pipelining
support. Some MTA
(probably some sendmail versions/configs) have bad habit to use
pipelining even if it support
not adversed in EHLO reply.