smtp proxy with postfix

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

smtp proxy with postfix

vedranf
Hello,

  I'd like to build a smtp Proxy with nginx (v1.8.0) and postfix (v2.9.6) on
Debian7.

Somehow I'm stuck with the following problem:

1) Configuration1:
    smtp_auth         login plain cram-md5;
    xclient               on;

    ==> a) My mail client can authenticate (IP:yy.yyy.yy.yy), send email and
receive email (imap) - even with tls
                mail.log:
                 connect from nginx_prox.de[xx.xxx.xx.xx]
                 client=unknown[yy.yyy.yy.yy], sasl_method=XCLIENT,
sasl_username=my_username

            b) But no emails from others are received - obviously everybody
has to authenticate!!
         
2) Configuration2:
    smtp_auth         none;
    xclient               on;

    ==> creates an open relay!

In Postfix, I have set: smtpd_authorized_xclient_hosts = xx.xxx.xx.xx  

What I'd like to achive is the current postfix behaviour:
1) Receive emails from every Sender
2) Only authorized users can send emails from outside the Network

Help is appreciated... I found bits and pieces in the Forum and other places
- but nothing seems to be consistent...

Thanks,
Norbert

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,263559,263559#msg-263559

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: smtp proxy with postfix

B.R.
smtp_auth set + xclient on
smtp_auth none + xclient off
?
---
B. R.

On Fri, Dec 18, 2015 at 8:08 PM, Cugar15 <[hidden email]> wrote:
Hello,

  I'd like to build a smtp Proxy with nginx (v1.8.0) and postfix (v2.9.6) on
Debian7.

Somehow I'm stuck with the following problem:

1) Configuration1:
    smtp_auth         login plain cram-md5;
    xclient               on;

    ==> a) My mail client can authenticate (IP:yy.yyy.yy.yy), send email and
receive email (imap) - even with tls
                mail.log:
                 connect from nginx_prox.de[xx.xxx.xx.xx]
                 client=unknown[yy.yyy.yy.yy], sasl_method=XCLIENT,
sasl_username=my_username

            b) But no emails from others are received - obviously everybody
has to authenticate!!

2) Configuration2:
    smtp_auth         none;
    xclient               on;

    ==> creates an open relay!

In Postfix, I have set: smtpd_authorized_xclient_hosts = xx.xxx.xx.xx

What I'd like to achive is the current postfix behaviour:
1) Receive emails from every Sender
2) Only authorized users can send emails from outside the Network

Help is appreciated... I found bits and pieces in the Forum and other places
- but nothing seems to be consistent...

Thanks,
Norbert

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,263559,263559#msg-263559

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: smtp proxy with postfix

vchhabra@medallia.com
Well, here we go again... somehow, I'm not getting this smtp proxy to work
with nginx.
I moved to haproxy, and this combination works ok. Creating a tcp connection
passes over to postfix
and the postfix prompt is seen using a telnet connection - and all works
just fine.

However, I'd like to stick with nginx if possible....actually if possible at
all!

Here are my findings - and maybe somebody can help to confirm or disagree:

1) Xclient = on will basically bypass sals authorithation in postfix.
    Postfix/Sasl will assume that the message is already authenticated.
    All the auth login commands are basically exectuted

2) Xclient = off will not trigger any sals authentication in postfix.
    Somehow, it seems, that the credentials are not forwarded to postfix

Is this really the expected behaviour?
IMAP behaviour is completely different. Here the authentication works just
fine...

Comments appreciated,
Cugar15

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,263559,263783#msg-263783

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: smtp proxy with postfix

Maxim Dounin
Hello!

On Wed, Dec 30, 2015 at 08:20:27AM -0500, Cugar15 wrote:

> Well, here we go again... somehow, I'm not getting this smtp proxy to work
> with nginx.
> I moved to haproxy, and this combination works ok. Creating a tcp connection
> passes over to postfix
> and the postfix prompt is seen using a telnet connection - and all works
> just fine.
>
> However, I'd like to stick with nginx if possible....actually if possible at
> all!

If TCP proxying is enough in your case - you can consider
using stream proxy module instead, see here:

http://nginx.org/en/docs/stream/ngx_stream_core_module.html

> Here are my findings - and maybe somebody can help to confirm or disagree:
>
> 1) Xclient = on will basically bypass sals authorithation in postfix.
>     Postfix/Sasl will assume that the message is already authenticated.
>     All the auth login commands are basically exectuted

Yes.  All information obtained by nginx is passed via the XCLIENT
command.

> 2) Xclient = off will not trigger any sals authentication in postfix.
>     Somehow, it seems, that the credentials are not forwarded to postfix

Yes.  Authentication is checked by auth_http script, and there is
no need to do additional authentication to SMTP backend.  As long
as appropriate checks are done by auth_http, it's enough to allow
your nginx IP to submit mail.

If it's not enough in your particular setup (e.g., you want
correct "Received" headers to be added), enable XCLIENT.

> Is this really the expected behaviour?
> IMAP behaviour is completely different. Here the authentication works just
> fine...

Yes, that's expected.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: smtp proxy with postfix

vchhabra@medallia.com
HI Maxim, thanks for reply!

1) Interesting, I will look into the ngx_stream_core_module

2) I still have one question for Xclient = on - since I'm banged my head
against it for days now:

You state: All information obtained by nginx is passed via the XCLIENT
command.

Is this true for all credentials?? Like username and password as optained
with a 'auth login' sequence:
Somehow, I can find: sasl_method=XCLIENT, sasl_username=[hidden email]
in the postfix logfile.
However, I cannot find the password information...

Thanks again,
Cugar15

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,263559,263794#msg-263794

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: smtp proxy with postfix

Maxim Dounin
Hello!

On Wed, Dec 30, 2015 at 10:49:06AM -0500, Cugar15 wrote:

> HI Maxim, thanks for reply!
>
> 1) Interesting, I will look into the ngx_stream_core_module
>
> 2) I still have one question for Xclient = on - since I'm banged my head
> against it for days now:
>
> You state: All information obtained by nginx is passed via the XCLIENT
> command.
>
> Is this true for all credentials?? Like username and password as optained
> with a 'auth login' sequence:
> Somehow, I can find: sasl_method=XCLIENT, sasl_username=[hidden email]
> in the postfix logfile.
> However, I cannot find the password information...

Passwords are not present in XCLIENT and aren't expected to.  
Authentication is done by nginx and it's nginx responsibility to
check passwords, and it does so using auth_http service.  Note
well that in many authentication methods passwords aren't sent at
all, appropriate hashes are used instead.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx