Hi,
I would like to use nginx 1.2.1 with TLS SNI support to proxy SMTP
submission for several different domains over SSL. I would expect that
if I
configure multiple servers with different server names that a TLS v1
client
will select the correct one through SNI. However I always get the first
certificate regardless of the hostname specified in ClientHello.
Is there something wrong with my config?
mail {
auth_http 127.0.0.1/auth.php;
smtp_auth login plain;
smtp_capabilities "SIZE 10240000" "VRFY" "ETRN"
“ENHANCEDSTATUSCODES” “8BITMIME” “DSN”;
server {
listen 587;
server_name domain1.nl;
protocol smtp;
proxy on;
starttls only;
ssl_certificate /etc/nginx/ssl/domain1.crt;
ssl_certificate_key /etc/nginx/ssl/domain1.key;
}
server {
listen 587;
server_name domain2.com;
protocol smtp;
proxy on;
starttls only;
ssl_certificate /etc/nginx/ssl/domain2.crt;
ssl_certificate_key /etc/nginx/ssl/domain2.key;
}
}
Posted at Nginx Forum:
On Saturday 30 March 2013 01:30:21 lblankers wrote:
Hi,
I would like to use nginx 1.2.1 with TLS SNI support to proxy SMTP
submission for several different domains over SSL. I would expect that if I
configure multiple servers with different server names that a TLS v1 client
will select the correct one through SNI. However I always get the first
certificate regardless of the hostname specified in ClientHello.
Is there something wrong with my config?
The problem is that TLS SNI currently is not supported in mail proxy.
wbr, Valentin V. Bartenev
–
http://nginx.org/en/donation.html
On 2013-03-30 at 02:24 +0400, Valentin V. Bartenev wrote:
The problem is that TLS SNI currently is not supported in mail proxy.
If someone needs TLS SNI with SMTP right now, Exim supports this. It’s
not designed to be as scalable as nginx in performance, but it does okay
for most folks’ purposes.
(Support added in 4.80, released 2012-05-31; 4.80.1 is current)
A cheaper, non-commercially-viable option (which might be acceptable
as you indicate it’s not a professional project) would just be to put
different domains’ certs on different ports. A slight one-time setup
annoyance to the users, of course, but they shouldn’t care if you’re
doing it for free. Maybe.
–
Jonathan M.
Oxford, London, UK
http://www.jpluscplusm.com/contact.html
On March 29, 2013 08:14PM Phil P. wrote:
On 2013-03-30 at 02:24 +0400, Valentin V. Bartenev wrote:
On Saturday 30 March 2013 01:30:21 lblankers wrote:
I would like to use nginx 1.2.1 with TLS SNI support to proxy SMTP
submission for several different domains over SSL. I would expect that
if I
configure multiple servers with different server names that a TLS v1
client
will select the correct one through SNI. However I always get the
first
certificate regardless of the hostname specified in ClientHello.
Is there something wrong with my config?
The problem is that TLS SNI currently is not supported in mail proxy.
If someone needs TLS SNI with SMTP right now, Exim supports this. It’s
not designed to be as scalable as nginx in performance, but it does okay
for most folks’ purposes.
Thanks for clearing that up. I would prefer to use nginx rather than
switch
to Exim because I would like to use nginx to proxy IMAP using SSL SNI
as well. Would it be possible to add SNI to the mail proxy?
I am doing this as a hobby project rather than professionally so getting
multiple IPs in order to host multiple domains is prohibitively
expensive.
Both in one time cost (~ € 100) and recurring cost (€ 2.50 / month /
IP).
So if someone could suggest a cheaper solution (e.g. sponsoring a
developer to add this feature) I would very much appreciate that.
Laurens
Posted at Nginx Forum:
On March 30, 2013 09:58AM Lukas T. wrote:
Thats may be a dump question: but why do you use different
host names in the first place? Is it a real business
requirement to have a host name per domain?
No such thing as dumb questions, only people who can’t answer
them 
I have multiple domains for email because the domains contain
the family name and I host for both my own family as well as
several ‘in-law’ with different family names.
On March 30, 2013 09:00AM Jonathan M. wrote:
A cheaper, non-commercially-viable option (which might be
acceptable as you indicate it’s not a professional project)
would just be to putdifferent domains’ certs on different
ports. A slight one-time setup annoyance to the users, of
course, but they shouldn’t care if you’re doing it for
free. Maybe.
Yes, either using one domain or hosting on multiple ports
would definitely work. And since I am providing this service
for free the in-laws would not complain.
However I prefer to keep my support duties to a minimum. And
neither of these solutions will work with the auto configuration
present in almost all mail clients today.
So if I can spend a bit of resources on getting SNI to work and
hence auto configuration that would be benicifial in the long
run.
Laurens
Posted at Nginx Forum:
Is there any news on this? I would be interested to know if there are
plans
to include this in nginx?
Posted at Nginx Forum:
Thats may be a dump question: but why do you use different host names
in the first place? Is it a real business requirement to have a host
name per domain? Simply using a single host name for all domains would
solve all you issues here.
If this really is a business requirement for you (maybe the solution
shouldn’t look “shared”), then their should be the money to buy
dedicated IP addresses.
I wouldn’t rely on SNI anyway, because you never know if your clients
are all SNI capable; this is slowly improving for HTTPS but SMTP/IMAP
is another story (see: nginx).
Regards,
Lukas
Hello!
On Thu, May 15, 2014 at 11:23:19AM -0400, salsaj wrote:
Is there any news on this? I would be interested to know if there are plans
to include this in nginx?
As of now, there are no plans.
–
Maxim D.
http://nginx.org/
Hi,
Am 15.05.2014 um 19:34 schrieb Maxim D.:
On Thu, May 15, 2014 at 11:23:19AM -0400, salsaj wrote:
Is there any news on this? I would be interested to know if there are plans
to include this in nginx?
As of now, there are no plans.
I’d also like to use SNI on port 587 (submission). I thought nginx could
proxy connections to postfix, which doesn’t seem to support SNI either.
Regards,
Sven