2

I'm an apache user normally, but I need to start using nginx as a reverse proxy for smtp (postfix).

I've seen tens of examples online. Like this and this. All of them have an auth_http entry, which I completely don't understand. This is not the first time I use proxies, and I currently use haproxy since months. So why do I have to provide a php authentication page? Why can't I just use nginx as simple as I use haproxy, and just tell it: Set a frontend here, decrypt ssl with this key, and take it to that backend/port?

Could someone please explain how necessary that auth_http entry is? The nginx manual doesn't seem to say much.

Thank you for any efforts.

The Quantum Physicist
  • 658
  • 2
  • 11
  • 26
  • [Related question](https://serverfault.com/q/594962), asking the same thing about IMAP proxying. – tanius Jan 20 '23 at 17:51

2 Answers2

1

Basically there are three big steps in your workflow

  • Encryption and decryption process either by STARTTLS or SMTPS
  • Authentication process i.e. to check if you allowed to do SMTP transaction
  • SMTP Transcription (MAIL FROM, RCPT TO and so on)

As far as I understand, you want to use nginx to do step 1, and transparently pass the rest of the transaction to the backend. Unfortunately you can't do it with nginx due its design. Nginx is always do step 1 and 2 before pass the request to the backend.

That's why parameter auth_http becomes crucial. Basically nginx takes username and password from SMTP auth process, pass it to auth_http URL via a protocol. And it expects response about auth status (whether transaction can be continued or not) and which address and port where the SMTP data should be passed.

So, if you want just some SSL stripper proxy for SMTP, then maybe nginx won't be fit in your case.

masegaloeh
  • 18,236
  • 10
  • 57
  • 106
0

In newer versions of Nginx (from 1.19.4), the auth_http directive with your own Nginx HTTP Authentication Server is no longer needed for the purpose of authentication.

You can now set proxy_smtp_auth on; in your proxied SMTP servers to make them relay SMTP authentication to the proxied server (see manual, related answer). Your auth_http server would in that case simply authenticate all clients, but still has two other mandatory roles to fulfill:

The authentication server will authenticate email clients, choose an upstream server for email processing [and refer the client to it], and report errors.

(Source: Nginx Plus Admin Guide: Configuring NGINX as a Mail Proxy Server)

A complete Nginx config example would look like this (not tested, probably not fully functional yet, and omitting all SSL stuff):

mail {
    server_name smtp.example.com;
    proxy_pass_error_message on;

    # Your Nginx HTTP Authentication server.
    auth_http   localhost:9000/nginxauth.php;

    # Proxy server config.
    # (NOT proxied servers. These are only know to the HTTP Auth Server.)
    server {
        listen           25;
        protocol         smtp;
        proxy_smtp_auth  on;
        smtp_auth        login plain cram-md5;
    }
}

If you only want to refer clients to one single backend SMTP server, there is no need to implement a custom Nginx HTTP Authentication server. You can use this technique instead.

tanius
  • 666
  • 7
  • 13