Forum: NGINX Error: insufficient authorization

2974d09ac2541e892966b762aad84943?d=identicon&s=25 HajoLOcke (Guest)
on 2011-02-08 15:07
(Received via mailing list)
Hello,

i do some tests with nginx and the mail proxy modules. running imap/pop3
seems to work. Now i try with smtp.
My auth-server is a little php-script:

<?
header("HTTP/1.0 200 OK");
header("Auth-Status: OK");
header("Auth-Server: 127.0.0.1");
header("Auth-Port: 25");
header("Auth-Protocol: smtp");
header("Auth-User: myusername");
header("Auth-Pass: mypass");
?>

When testing smtp by telnet i got: 451 4.3.2 Internal server error after
auth login.
and in log:
2011/02/08 14:04:42 [error] 27740#0: *23 upstream sent invalid response:
"550 5.7.0 Error: insufficient authorization" while reading response
from upstream, client: ip.ip.ip.ip, server: 0.0.0.0:26, login:
"myusername", upstream: 127.0.0.1:25

what else is needed?

i have 2 more questions.
how to provide a basic log for mail-proxying? i only got server-errorlog
to work.
i read that nginx in smtp-proxy mode wants to do the complete auth-stuff
and needs an "open" smtp-engine behind. This is not what i like. I would
like that nginx is just transfering sessions to assigned host and let
the real smtp-engine(postfix) let do the auth stuff. with pop/imap proxy
ngingx is working like this but not with smtp. is this possible with
nginx?

Thanks,
Hajo

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,173197,173197#msg-173197
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2011-02-08 15:26
(Received via mailing list)
Hello!

On Tue, Feb 08, 2011 at 09:05:44AM -0500, HajoLOcke wrote:

> header("Auth-User: myusername");
>
> what else is needed?

nginx doesn't attempt authentication against SMTP backends.  You
have to allow unauthenticated access from nginx on your SMTP
backends.

> i have 2 more questions.
> how to provide a basic log for mail-proxying? i only got server-errorlog
> to work.

That's the only logging available.

> i read that nginx in smtp-proxy mode wants to do the complete auth-stuff
> and needs an "open" smtp-engine behind. This is not what i like. I would
> like that nginx is just transfering sessions to assigned host and let
> the real smtp-engine(postfix) let do the auth stuff. with pop/imap proxy
> ngingx is working like this but not with smtp. is this possible with
> nginx?

No.

Maxim Dounin
2974d09ac2541e892966b762aad84943?d=identicon&s=25 HajoLOcke (Guest)
on 2011-02-08 15:49
(Received via mailing list)
Hello,


> nginx doesn't attempt authentication against SMTP backends. You
> have to allow unauthenticated access from nginx on your SMTP
> backends.

ok, i thinking about this...
but there must be a error in my response from auth-server, because not
postfix is rejecting mail but nginx is with internal error message.
postfix only says:
lost connection after XCLIENT from localhost[127.0.0.1]
what could be wrong? is there an additional header-line required?

Thanks,
Hajo

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,173197,173220#msg-173220
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2011-02-08 16:31
(Received via mailing list)
Hello!

On Tue, Feb 08, 2011 at 09:46:55AM -0500, HajoLOcke wrote:

> > nginx doesn't attempt authentication against SMTP backends. You
> > have to allow unauthenticated access from nginx on your SMTP
> > backends.
>
> ok, i thinking about this...
> but there must be a error in my response from auth-server, because not
> postfix is rejecting mail but nginx is with internal error message.
> postfix only says:
> lost connection after XCLIENT from localhost[127.0.0.1]
> what could be wrong? is there an additional header-line required?

It's Postfix who refused to talk to nginx, note "upstream sent
invalid response: "550 5.7.0 Error: insufficient authorization""
in your nginx log.

As you don't have proxy_pass_error_message in your config - this
results in "451 4.3.2 Internal server error" returned by nginx.

Maxim Dounin
2974d09ac2541e892966b762aad84943?d=identicon&s=25 HajoLOcke (Guest)
on 2011-02-08 17:10
(Received via mailing list)
Hello,

> It's Postfix who refused to talk to nginx, note "upstream sent
> invalid response: "550 5.7.0 Error: insufficient authorization""
> in your nginx log.

ahh, ok i see.

with xclient off and nginx-ip in trusted nets i can send mails now.
with xclient on i get: Bad XCLIENT attribute name: LOGIN
(older postfix)
i seems that xclient string is not configurable... ok, just for
tests...
in my case it would really the best way if nginx would just do the
proxying without doing auth stuff. but i think this is not even
planned.

Thanks,
Hajo

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,173197,173246#msg-173246
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2011-02-08 17:39
(Received via mailing list)
Hello!

On Tue, Feb 08, 2011 at 11:09:08AM -0500, HajoLOcke wrote:

> tests...
Using xclient requires postfix patch from here (in Russian):

http://www.citrin.ru/nginx:xclient-login-patch

Maxim Dounin
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.