On Tue, Sep 29, 2020 at 11:24:14AM -0400, kay wrote: Hi there,
> I'd like to use nginx to serve TLS and/or StartTLS connections only, the > rest must be "proxy passed" without a modification to the backend. "TLS-only" might work if you use "stream" rather than "mail", so that nginx is the TLS-termination of an otherwise-opaque stream of traffic. The rest of what you describe does not appear to match the nginx "smtp proxy" model (which is, briefly, a tcp connection is authenticated and then blindly forwarded to a back-end ip:port). > Unfortunately I noticed > https://www.ruby-forum.com/t/nginx-does-not-pass-smtp-auth-command-to-server/184290 > topic, where Maxim Dounin mentioned that it is impossible. That was 10 years > ago, probably now the situation is changed? Is there an option, which I can > use to pass the AUTH command? I don't think so, no. Probably no-one cared enough about this feature to design and implement something in nginx; instead they either changed their own design to fit the nginx model, or they used something other than nginx. > P.S. Side question, I'd like to use a hostname in Auth-Server header: > > location = /mail/auth { > add_header Auth-Status OK; > add_header Auth-Server hostname; > add_header Auth-Port 8025; > return 204; > } > > but nginx doesn't allow to do this. Is there an option or a workaround for > this? Option - no, not today. Workaround - in that location{}, do something dynamic to learn the IP address that you want this smtp connection to be passed to, and send that IP address in the header. *Someone* has to turn the hostname into an IP address. The nginx mail proxy protocol is that "the server" does that, not "the client". Possibly a patch to change that would be accepted, if it is shown to be reliable and an improvement on what is there now. Good luck with it, f -- Francis Daly [email protected] _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
