Forum: NGINX Request for some smtp example with and without auth

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
6057f191e94c033308b1f9359b0e1d2f?d=identicon&s=25 Atif Ghaffar (Guest)
on 2009-04-03 22:27
(Received via mailing list)
Dear all,

For pop and imap its pretty clear and I have documented on the wiki.


Can someone please state a short example on how nginx smtp proxy works
with
a smtp server.
The documentation on this is very sparse, If you can forward me to the
right
direction, I will write myself the documentation on the wiki.


Withougt authenticatin (MX)

* Is it possible to mutiplex to different real smtp servers (If not, its
fine, LVS can do that job)

* Is is possible to do something with the header before forwarding the
request to the real smtp sever. (How can real smtp server do RBL checks
if
the IP address is local)

* What can nginx do before sending the connection the the smtp server
(Can
it change/add some headers, can in pass the mail through a filter)?


With Authentication
Same questions as above. A short example (even in pseudo code) will be
very
helpful.

What to look out on the real  smtp server?
Does the actual IP goes to the real smtp server?

etc




thanks and  best regards
--

Atif Ghaffar
96321bb7fd6f712aa7785ce2d58388f2?d=identicon&s=25 Anton Yuzhaninov (Guest)
on 2009-04-03 23:58
(Received via mailing list)
Atif Ghaffar wrote:
>
> Withougt authenticatin (MX)
>
> * Is it possible to mutiplex to different real smtp servers (If not, its
> fine, LVS can do that job)

Nginx send request by http to defined in config server and this server
can return ip of
differend upstreams. So load balancing can be done by this "auth"
server.

>
> * Is is possible to do something with the header before forwarding the
> request to the real smtp sever. (How can real smtp server do RBL checks
> if the IP address is local)

Nginx can say to real smtp server about client's ip via XCLIENT command:
http://www.postfix.org/XCLIENT_README.html
xclient also can be used with patched exim:
http://cebka.pp.ru/blog/patch-exim-xclient

Also RBL check can be performed by nginx+http server.
Example of such server is:
http://cebka.pp.ru/hg/nginx-smtp-policy
(works with pathed libevent: http://cebka.pp.ru/blog/libevent_txt.patch)

>
> * What can nginx do before sending the connection the the smtp server
> (Can it change/add some headers, can in pass the mail through a filter)?

No, nginx can't change message.

>
>
> With Authentication
> Same questions as above. A short example (even in pseudo code) will be
> very helpful.

Auth server works as for pop3/smtp. Additional header in response can be
added for bad replays
- Auth-Status - it used as smtp error code.

May be the main reason to use nginx as smtp auth proxy - to share auth
server with pop3/imap.

>
> What to look out on the real  smtp server?
> Does the actual IP goes to the real smtp server?
>

MTA can know client's IP also from XCLIENT command.
6057f191e94c033308b1f9359b0e1d2f?d=identicon&s=25 Atif Ghaffar (Guest)
on 2009-04-04 00:10
(Received via mailing list)
Anton,

Thanks for your replies,
They are most useful (and you will be credited in the wiki entry)

Let me try these now and come back to you.

best regards
6057f191e94c033308b1f9359b0e1d2f?d=identicon&s=25 Atif Ghaffar (Guest)
on 2009-04-04 22:07
(Received via mailing list)
Anton,

If I correctly undrestood,

1. nginx as smtp proxy is useful when using smtp auth. (to dispatch to
different backends)
2. nginx as smtp proxy is useful when not using smtp auth. (to do ip
based
checks)

please confirm.
thanks and best regards
--
Atif
96321bb7fd6f712aa7785ce2d58388f2?d=identicon&s=25 Anton Yuzhaninov (Guest)
on 2009-04-04 23:40
(Received via mailing list)
Atif Ghaffar wrote:
> If I correctly undrestood,
>
> 1. nginx as smtp proxy is useful when using smtp auth. (to dispatch to
> different backends)

IMHO nginx as smtp proxy with auth useful only to reuse auth server
created for pop/imap proxy.

For pop3/imap nginx need for proxing different users to different
backend (where mail stored).
In smtp message can be send via random server.

nginx can be used for load balancing between different servers with MTA,
but for load-balancing
only better to use something like IPVS (in Linux) or pf (in BSD).

> 2. nginx as smtp proxy is useful when not using smtp auth. (to do ip
> based checks)

Without auth (incoming mail) nginx can be used to save resources if only
ip not in RBL proxied
to servers with MTA.

But I don't know is current nginx version used anywhere in production as
smtp proxy without
auth. IMHO it not ready for production, because of lack smtp pipelining
support. Some MTA
(probably some sendmail versions/configs) have bad habit to use
pipelining even if it support
not adversed in EHLO reply.
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2009-04-05 01:48
(Received via mailing list)
Hello!

On Sun, Apr 05, 2009 at 01:30:34AM +0400, Anton Yuzhaninov wrote:

>
> nginx can be used for load balancing between different servers with MTA,
> but for load-balancing only better to use something like IPVS (in Linux)
> or pf (in BSD).

No, you are somewhat wrong here.  As smtp proxy with auth nginx is
really very usefull to move load away from traditional
process-per-connection smtp servers (until user is authenticated).
This saves lots of resources when you have many invalid
connections (e.g. initiated by malware, bruteforce attacks etc.).

This may not be an issue unless you run big mail server
though.

> not adversed in EHLO reply.
Yes.

Support for smtp pipelining may be found here:
http://mdounin.ru/hg/nginx-mail

Maxim Dounin
2974d09ac2541e892966b762aad84943?d=identicon&s=25 blacktux (Guest)
on 2009-04-22 09:40
(Received via mailing list)
Does anyone have a example config of SMTP without Auth they could post
in this thread?  I am just trying to get going a SMTP Relay Proxy to a
internal MTAs from external connections. Or could please point me in the
correct direction.
Cheers

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,786,1267#msg-1267
This topic is locked and can not be replied to.