Smtp proxy with postfix

Hello,

I’d like to build a smtp Proxy with nginx (v1.8.0) and postfix
(v2.9.6) on
Debian7.

Somehow I’m stuck with the following problem:

  1. Configuration1:
    smtp_auth login plain cram-md5;
    xclient on;

    ==> a) My mail client can authenticate (IP:yy.yyy.yy.yy), send email
    and
    receive email (imap) - even with tls
    mail.log:
    connect from nginx_prox.de[xx.xxx.xx.xx]
    client=unknown[yy.yyy.yy.yy], sasl_method=XCLIENT,
    sasl_username=my_username

         b) But no emails from others are received - obviously 
    

everybody
has to authenticate!!

  1. Configuration2:
    smtp_auth none;
    xclient on;

    ==> creates an open relay!

In Postfix, I have set: smtpd_authorized_xclient_hosts = xx.xxx.xx.xx

What I’d like to achive is the current postfix behaviour:

  1. Receive emails from every Sender
  2. Only authorized users can send emails from outside the Network

Help is appreciated… I found bits and pieces in the Forum and other
places

  • but nothing seems to be consistent…

Thanks,
Norbert

Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,263559,263559#msg-263559

smtp_auth set + xclient on
smtp_auth none + xclient off
?

B. R.

Well, here we go again… somehow, I’m not getting this smtp proxy to
work
with nginx.
I moved to haproxy, and this combination works ok. Creating a tcp
connection
passes over to postfix
and the postfix prompt is seen using a telnet connection - and all works
just fine.

However, I’d like to stick with nginx if possible…actually if
possible at
all!

Here are my findings - and maybe somebody can help to confirm or
disagree:

  1. Xclient = on will basically bypass sals authorithation in postfix.
    Postfix/Sasl will assume that the message is already authenticated.
    All the auth login commands are basically exectuted

  2. Xclient = off will not trigger any sals authentication in postfix.
    Somehow, it seems, that the credentials are not forwarded to postfix

Is this really the expected behaviour?
IMAP behaviour is completely different. Here the authentication works
just
fine…

Comments appreciated,
Cugar15

Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,263559,263783#msg-263783

Hello!

On Wed, Dec 30, 2015 at 08:20:27AM -0500, Cugar15 wrote:

Well, here we go again… somehow, I’m not getting this smtp proxy to work
with nginx.
I moved to haproxy, and this combination works ok. Creating a tcp connection
passes over to postfix
and the postfix prompt is seen using a telnet connection - and all works
just fine.

However, I’d like to stick with nginx if possible…actually if possible at
all!

If TCP proxying is enough in your case - you can consider
using stream proxy module instead, see here:

http://nginx.org/en/docs/stream/ngx_stream_core_module.html

Here are my findings - and maybe somebody can help to confirm or disagree:

  1. Xclient = on will basically bypass sals authorithation in postfix.
    Postfix/Sasl will assume that the message is already authenticated.
    All the auth login commands are basically exectuted

Yes. All information obtained by nginx is passed via the XCLIENT
command.

  1. Xclient = off will not trigger any sals authentication in postfix.
    Somehow, it seems, that the credentials are not forwarded to postfix

Yes. Authentication is checked by auth_http script, and there is
no need to do additional authentication to SMTP backend. As long
as appropriate checks are done by auth_http, it’s enough to allow
your nginx IP to submit mail.

If it’s not enough in your particular setup (e.g., you want
correct “Received” headers to be added), enable XCLIENT.

Is this really the expected behaviour?
IMAP behaviour is completely different. Here the authentication works just
fine…

Yes, that’s expected.


Maxim D.
http://nginx.org/

HI Maxim, thanks for reply!

  1. Interesting, I will look into the ngx_stream_core_module

  2. I still have one question for Xclient = on - since I’m banged my head
    against it for days now:

You state: All information obtained by nginx is passed via the XCLIENT
command.

Is this true for all credentials?? Like username and password as
optained
with a ‘auth login’ sequence:
Somehow, I can find: sasl_method=XCLIENT,
[email protected]
in the postfix logfile.
However, I cannot find the password information…

Thanks again,
Cugar15

Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,263559,263794#msg-263794

Hello!

On Wed, Dec 30, 2015 at 10:49:06AM -0500, Cugar15 wrote:

Is this true for all credentials?? Like username and password as optained
with a ‘auth login’ sequence:
Somehow, I can find: sasl_method=XCLIENT, [email protected]
in the postfix logfile.
However, I cannot find the password information…

Passwords are not present in XCLIENT and aren’t expected to.
Authentication is done by nginx and it’s nginx responsibility to
check passwords, and it does so using auth_http service. Note
well that in many authentication methods passwords aren’t sent at
all, appropriate hashes are used instead.


Maxim D.
http://nginx.org/

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs