Mail Proxy with Multiple Mail Domains

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Mail Proxy with Multiple Mail Domains

nsclick

Hello,
 
I would like to setup a Nginx mail proxy which handles IMAP and SMTP for two different mail domains and two different backend servers (one server for each of the domains).

Let's say we have the two mail domains:
- mail.foo.com
- mail.bar.com
 
Then we can setup a minimalistic mail block like:
 
mail {
  server_name mail.foo.com;  <-- ############ Can I simply add 'mail.bar.com' here? ############

  auth_http   localhost/nginxauth.php;

  server {
    listen     25;
    protocol   smtp;
  }

  server {
    listen   143;
    protocol imap;
  }
}

And a minimalistic nginxauth.php script like:

<?php

  /*
    Variables we have here:
    $_SERVER["HTTP_AUTH_USER"]
    $_SERVER["HTTP_AUTH_PASS"]
    $_SERVER["HTTP_AUTH_USER"]
    $_SERVER["HTTP_AUTH_PASS"]
    $_SERVER["HTTP_AUTH_PROTOCOL"]
  */

if ($protocol=="imap")
{
  $backend_port=143;
}

if ($protocol=="smtp")
{
  $backend_port=25;
}

  $backend_ip["mailhost_foo"] ="192.168.1.10";
  $backend_ip["mailhost_bar"] ="192.168.1.20";

  $selection  <-- ############ How to make this selection? ############
                  Do we have information about the requested mail domain here?
                  If yes, in which $_SERVER item?

  header("Auth-Status: OK");
  header("Auth-Server: $backend_ip[$selection]");
  header("Auth-Port: $backend_port");
?>


But how to solve the questions marked with "###" above?
I tried to find something in the Nginx documentation, but without success.
Any ideas?

Thanks a lot in advance.

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Mail Proxy with Multiple Mail Domains

Patrick
On 2019-11-13 20:00, [hidden email] wrote:
> I would like to setup a Nginx mail proxy which handles IMAP and SMTP for two different mail domains and two different backend servers (one server for each of the domains).

The docs have a good example at:
https://www.nginx.com/resources/wiki/start/topics/examples/imapauthenticatewithapacheperlscript/

Users need to login with "[hidden email]" or "[hidden email]"
otherwise name collisions will occur...

`Auth-User' will have the username, so match on the domain part to route
the user to the correct server.


Patrick
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Mail Proxy with Multiple Mail Domains

Phillip Odam
The only issue we encountered using the nginx Mail auth api was in finding out what encoding is used for the header values. In Java we currently use the following to decode the password
password = URLDecoder.decode(password.replaceAll("\\+", "%2b"), "UTF-8");
My understanding is that nginx encodes some characters in the typical %XX form (where X is a hexadecimal character) but leaves + as +, so when decoding, + is incorrectly decoded to space. That’s what the code above resolves.

On Wed, Nov 13, 2019 at 7:37 PM Patrick <[hidden email]> wrote:
On 2019-11-13 20:00, [hidden email] wrote:
> I would like to setup a Nginx mail proxy which handles IMAP and SMTP for two different mail domains and two different backend servers (one server for each of the domains).

The docs have a good example at:
https://www.nginx.com/resources/wiki/start/topics/examples/imapauthenticatewithapacheperlscript/

Users need to login with "[hidden email]" or "[hidden email]"
otherwise name collisions will occur...

`Auth-User' will have the username, so match on the domain part to route
the user to the correct server.


Patrick
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Mail Proxy with Multiple Mail Domains

Francis Daly
In reply to this post by nsclick
On Wed, Nov 13, 2019 at 08:00:58PM +0100, [hidden email] wrote:

Hi there,

Untested, but...

> I would like to setup a Nginx mail proxy which handles IMAP and SMTP for two different mail domains and two different backend servers (one server for each of the domains).
>

The easiest way is probably to have nginx listening on two IP addresses;
each one handling one domain.

> Let's say we have the two mail domains:
> - mail.foo.com
> - mail.bar.com
>  
> Then we can setup a minimalistic mail block like:
>  
> mail {
>   server_name mail.foo.com;  <-- ############ Can I simply add 'mail.bar.com' here? ############

No.

http://nginx.org/en/docs/mail/ngx_mail_core_module.html#server_name

says when this is used. If it is important in your case to have two
different names, then you will want to set it in each server{}.

>   $backend_ip["mailhost_foo"] ="192.168.1.10";
>   $backend_ip["mailhost_bar"] ="192.168.1.20";
>
>   $selection  <-- ############ How to make this selection? ############
>                   Do we have information about the requested mail domain here?
>                   If yes, in which $_SERVER item?

If you use something like

  server {
    server_name foo;
    listen ip1:25;
  }

  server {
    server_name bar;
    listen ip2:25;
  }

then you can also include an auth_http_header to say "this is foo", or
"this is bar".

Or you can use a different auth_http url for foo and for bar, so that
each one "knows" the backend ip for itself.

> But how to solve the questions marked with "###" above?
> I tried to find something in the Nginx documentation, but without success.
> Any ideas?

http://nginx.org/en/docs/mail/ngx_mail_core_module.html#listen says

"""
Different servers must listen on different address:port pairs.
"""

Alternatively,
http://nginx.org/en/docs/mail/ngx_mail_auth_http_module.html#protocol
shows that you will probably have an Auth-User for IMAP, and an
Auth-SMTP-To for SMTP. If those values make it clear which mail domain is
used in this request, then your auth_http script can use the appropriate
logic.

Cheers,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx