Forum: NGINX Mail proxy with SNI

2974d09ac2541e892966b762aad84943?d=identicon&s=25 lblankers (Guest)
on 2013-03-29 22:31
(Received via mailing list)
Hi,

I would like to use nginx 1.2.1 with TLS SNI support to proxy SMTP
submission for several different domains over SSL. I would expect that
if I
configure multiple servers with different server names that a TLS v1
client
will select the correct one through SNI. However I always get the first
certificate regardless of the hostname specified in ClientHello.

Is there something wrong with my config?

mail {
        auth_http       127.0.0.1/auth.php;

        smtp_auth               login plain;
        smtp_capabilities       "SIZE 10240000" "VRFY" "ETRN"
"ENHANCEDSTATUSCODES" "8BITMIME" "DSN";

        server {
                listen                  587;
                server_name             domain1.nl;
                protocol                smtp;
                proxy                   on;
                starttls                only;
                ssl_certificate         /etc/nginx/ssl/domain1.crt;
                ssl_certificate_key     /etc/nginx/ssl/domain1.key;
        }

        server {
                listen                  587;
                server_name             domain2.com;
                protocol                smtp;
                proxy                   on;
                starttls                only;
                ssl_certificate         /etc/nginx/ssl/domain2.crt;
                ssl_certificate_key     /etc/nginx/ssl/domain2.key;
        }

}

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,237967,237967#msg-237967
40b4c848b8fcd63b0cb60b9d170c3a77?d=identicon&s=25 Valentin V. Bartenev (Guest)
on 2013-03-29 23:25
(Received via mailing list)
On Saturday 30 March 2013 01:30:21 lblankers wrote:
> Hi,
>
> I would like to use nginx 1.2.1 with TLS SNI support to proxy SMTP
> submission for several different domains over SSL. I would expect that if I
> configure multiple servers with different server names that a TLS v1 client
> will select the correct one through SNI. However I always get the first
> certificate regardless of the hostname specified in ClientHello.
>
> Is there something wrong with my config?
>

The problem is that TLS SNI currently is not supported in mail proxy.

  wbr, Valentin V. Bartenev

--
http://nginx.org/en/donation.html
6596b699dbe76426e360d660922b50b0?d=identicon&s=25 Phil Pennock (Guest)
on 2013-03-30 01:12
(Received via mailing list)
On 2013-03-30 at 02:24 +0400, Valentin V. Bartenev wrote:
> The problem is that TLS SNI currently is not supported in mail proxy.
If someone needs TLS SNI with SMTP right now, Exim supports this.  It's
not designed to be as scalable as nginx in performance, but it does okay
for most folks' purposes.

(Support added in 4.80, released 2012-05-31; 4.80.1 is current)
2974d09ac2541e892966b762aad84943?d=identicon&s=25 lblankers (Guest)
on 2013-03-30 09:34
(Received via mailing list)
On March 29, 2013 08:14PM Phil Pennock wrote:
> On 2013-03-30 at 02:24 +0400, Valentin V. Bartenev wrote:
> > On Saturday 30 March 2013 01:30:21 lblankers wrote:
> > > I would like to use nginx 1.2.1 with TLS SNI support to proxy SMTP
> > > submission for several different domains over SSL. I would expect that
if I
> > > configure multiple servers with different server names that a TLS v1
client
> > > will select the correct one through SNI. However I always get the
first
> > > certificate regardless of the hostname specified in ClientHello.
> > >
> > > Is there something wrong with my config?
> > >
> >
> > The problem is that TLS SNI currently is not supported in mail proxy.
>
> If someone needs TLS SNI with SMTP right now, Exim supports this. It's
> not designed to be as scalable as nginx in performance, but it does okay
> for most folks' purposes.

Thanks for clearing that up. I would prefer to use nginx rather than
switch

to Exim because I would like to use nginx to proxy IMAP using SSL SNI
as well. Would it be possible to add SNI to the mail proxy?

I am doing this as a hobby project rather than professionally so getting
multiple IPs in order to host multiple domains is prohibitively
expensive.
Both in one time cost (~ € 100) and recurring cost (€ 2.50 / month /
IP).
So if someone could suggest a cheaper solution (e.g. sponsoring a
developer to add this feature) I would very much appreciate that.

Laurens

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,237967,237972#msg-237972
34011bc56457235a2caa5ed1d4a29f3c?d=identicon&s=25 Jonathan Matthews (Guest)
on 2013-03-30 13:58
(Received via mailing list)
A cheaper, non-commercially-viable option (which might be acceptable
as you indicate it's not a professional project) would just be to put
different domains' certs on different ports. A slight one-time setup
annoyance to the users, of course, but they shouldn't care if you're
doing it for free. Maybe.

--
Jonathan Matthews
Oxford, London, UK
http://www.jpluscplusm.com/contact.html
63f341734581b167c7b698169bdd2510?d=identicon&s=25 Lukas Tribus (Guest)
on 2013-03-30 14:58
(Received via mailing list)
Thats may be a dump question: but why do you use different host names
in the first place? Is it a real business requirement to have a host
name per domain? Simply using a single host name for all domains would
solve all you issues here.

If this really is a business requirement for you (maybe the solution
shouldn't look "shared"), then their should be the money to buy
dedicated IP addresses.

I wouldn't rely on SNI anyway, because you never know if your clients
are all SNI capable; this is slowly improving for HTTPS but SMTP/IMAP
is another story (see: nginx).



Regards,
Lukas
2974d09ac2541e892966b762aad84943?d=identicon&s=25 lblankers (Guest)
on 2013-03-30 17:06
(Received via mailing list)
On March 30, 2013 09:58AM Lukas Tribus wrote:
> Thats may be a dump question: but why do you use different
> host names in the first place? Is it a real business
> requirement to have a host name per domain?

No such thing as dumb questions, only people who can't answer
them :-)

I have multiple domains for email because the domains contain
the family name and I host for both my own family as well as
several 'in-law' with different family names.

On March 30, 2013 09:00AM Jonathan Matthews wrote:
> A cheaper, non-commercially-viable option (which might be
> acceptable as you indicate it's not a professional project)
> would just be to putdifferent domains' certs on different
> ports. A slight one-time setup annoyance to the users, of
> course, but they shouldn't care if you're doing it for
> free. Maybe.

Yes, either using one domain or hosting on multiple ports
would definitely work. And since I am providing this service
for free the in-laws would not complain.

However I prefer to keep my support duties to a minimum. And
neither of these solutions will work with the auto configuration
present in almost all mail clients today.

So if I can spend a bit of resources on getting SNI to work and
hence auto configuration that would be benicifial in the long
run.

Laurens

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,237967,237980#msg-237980
2974d09ac2541e892966b762aad84943?d=identicon&s=25 salsaj (Guest)
on 2014-05-15 17:23
(Received via mailing list)
Is there any news on this? I would be interested to know if there are
plans
to include this in nginx?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,237967,250113#msg-250113
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2014-05-15 18:35
(Received via mailing list)
Hello!

On Thu, May 15, 2014 at 11:23:19AM -0400, salsaj wrote:

> Is there any news on this? I would be interested to know if there are plans
> to include this in nginx?

As of now, there are no plans.

--
Maxim Dounin
http://nginx.org/
B72bbbf9d6adde772be8fdd187e577cd?d=identicon&s=25 Sven Köhler (Guest)
on 2014-11-08 02:00
(Received via mailing list)
Hi,

Am 15.05.2014 um 19:34 schrieb Maxim Dounin:
> On Thu, May 15, 2014 at 11:23:19AM -0400, salsaj wrote:
>
>> Is there any news on this? I would be interested to know if there are plans
>> to include this in nginx?
>
> As of now, there are no plans.

I'd also like to use SNI on port 587 (submission). I thought nginx could
proxy connections to postfix, which doesn't seem to support SNI either.


Regards,
  Sven
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.