Discussion:
Request for some smtp example with and without auth
Atif Ghaffar
2009-04-03 20:16:23 UTC
Permalink
Dear all,

For pop and imap its pretty clear and I have documented on the wiki.


Can someone please state a short example on how nginx smtp proxy works with
a smtp server.
The documentation on this is very sparse, If you can forward me to the right
direction, I will write myself the documentation on the wiki.


Withougt authenticatin (MX)

* Is it possible to mutiplex to different real smtp servers (If not, its
fine, LVS can do that job)

* Is is possible to do something with the header before forwarding the
request to the real smtp sever. (How can real smtp server do RBL checks if
the IP address is local)

* What can nginx do before sending the connection the the smtp server (Can
it change/add some headers, can in pass the mail through a filter)?


With Authentication
Same questions as above. A short example (even in pseudo code) will be very
helpful.

What to look out on the real smtp server?
Does the actual IP goes to the real smtp server?

etc




thanks and best regards
--

Atif Ghaffar
Anton Yuzhaninov
2009-04-03 21:51:40 UTC
Permalink
Post by Atif Ghaffar
Dear all,
For pop and imap its pretty clear and I have documented on the wiki.
Can someone please state a short example on how nginx smtp proxy works
with a smtp server.
The documentation on this is very sparse, If you can forward me to the
right direction, I will write myself the documentation on the wiki.
Withougt authenticatin (MX)
* Is it possible to mutiplex to different real smtp servers (If not, its
fine, LVS can do that job)
Nginx send request by http to defined in config server and this server can return ip of
differend upstreams. So load balancing can be done by this "auth" server.
Post by Atif Ghaffar
* Is is possible to do something with the header before forwarding the
request to the real smtp sever. (How can real smtp server do RBL checks
if the IP address is local)
Nginx can say to real smtp server about client's ip via XCLIENT command:
http://www.postfix.org/XCLIENT_README.html
xclient also can be used with patched exim:
http://cebka.pp.ru/blog/patch-exim-xclient

Also RBL check can be performed by nginx+http server.
Example of such server is:
http://cebka.pp.ru/hg/nginx-smtp-policy
(works with pathed libevent: http://cebka.pp.ru/blog/libevent_txt.patch)
Post by Atif Ghaffar
* What can nginx do before sending the connection the the smtp server
(Can it change/add some headers, can in pass the mail through a filter)?
No, nginx can't change message.
Post by Atif Ghaffar
With Authentication
Same questions as above. A short example (even in pseudo code) will be
very helpful.
Auth server works as for pop3/smtp. Additional header in response can be added for bad replays
- Auth-Status - it used as smtp error code.

May be the main reason to use nginx as smtp auth proxy - to share auth server with pop3/imap.
Post by Atif Ghaffar
What to look out on the real smtp server?
Does the actual IP goes to the real smtp server?
MTA can know client's IP also from XCLIENT command.
--
Anton Yuzhaninov
Atif Ghaffar
2009-04-03 22:02:31 UTC
Permalink
Anton,

Thanks for your replies,
They are most useful (and you will be credited in the wiki entry)

Let me try these now and come back to you.

best regards
Post by Anton Yuzhaninov
Post by Atif Ghaffar
Dear all,
For pop and imap its pretty clear and I have documented on the wiki.
Can someone please state a short example on how nginx smtp proxy works
with a smtp server.
The documentation on this is very sparse, If you can forward me to the
right direction, I will write myself the documentation on the wiki.
Withougt authenticatin (MX)
* Is it possible to mutiplex to different real smtp servers (If not, its
fine, LVS can do that job)
Nginx send request by http to defined in config server and this server can
return ip of differend upstreams. So load balancing can be done by this
"auth" server.
Post by Atif Ghaffar
* Is is possible to do something with the header before forwarding the
request to the real smtp sever. (How can real smtp server do RBL checks if
the IP address is local)
http://www.postfix.org/XCLIENT_README.html
http://cebka.pp.ru/blog/patch-exim-xclient
Also RBL check can be performed by nginx+http server.
http://cebka.pp.ru/hg/nginx-smtp-policy
(works with pathed libevent: http://cebka.pp.ru/blog/libevent_txt.patch)
Post by Atif Ghaffar
* What can nginx do before sending the connection the the smtp server (Can
it change/add some headers, can in pass the mail through a filter)?
No, nginx can't change message.
Post by Atif Ghaffar
With Authentication
Same questions as above. A short example (even in pseudo code) will be
very helpful.
Auth server works as for pop3/smtp. Additional header in response can be
added for bad replays - Auth-Status - it used as smtp error code.
May be the main reason to use nginx as smtp auth proxy - to share auth
server with pop3/imap.
Post by Atif Ghaffar
What to look out on the real smtp server?
Does the actual IP goes to the real smtp server?
MTA can know client's IP also from XCLIENT command.
--
Anton Yuzhaninov
--
best regards
Atif Ghaffar
Atif Ghaffar
2009-04-04 19:59:10 UTC
Permalink
Anton,

If I correctly undrestood,

1. nginx as smtp proxy is useful when using smtp auth. (to dispatch to
different backends)
2. nginx as smtp proxy is useful when not using smtp auth. (to do ip based
checks)

please confirm.
thanks and best regards
--
Atif
Post by Anton Yuzhaninov
Post by Atif Ghaffar
Dear all,
For pop and imap its pretty clear and I have documented on the wiki.
Can someone please state a short example on how nginx smtp proxy works
with a smtp server.
The documentation on this is very sparse, If you can forward me to the
right direction, I will write myself the documentation on the wiki.
Withougt authenticatin (MX)
* Is it possible to mutiplex to different real smtp servers (If not, its
fine, LVS can do that job)
Nginx send request by http to defined in config server and this server can
return ip of differend upstreams. So load balancing can be done by this
"auth" server.
Post by Atif Ghaffar
* Is is possible to do something with the header before forwarding the
request to the real smtp sever. (How can real smtp server do RBL checks if
the IP address is local)
http://www.postfix.org/XCLIENT_README.html
http://cebka.pp.ru/blog/patch-exim-xclient
Also RBL check can be performed by nginx+http server.
http://cebka.pp.ru/hg/nginx-smtp-policy
(works with pathed libevent: http://cebka.pp.ru/blog/libevent_txt.patch)
Post by Atif Ghaffar
* What can nginx do before sending the connection the the smtp server (Can
it change/add some headers, can in pass the mail through a filter)?
No, nginx can't change message.
Post by Atif Ghaffar
With Authentication
Same questions as above. A short example (even in pseudo code) will be
very helpful.
Auth server works as for pop3/smtp. Additional header in response can be
added for bad replays - Auth-Status - it used as smtp error code.
May be the main reason to use nginx as smtp auth proxy - to share auth
server with pop3/imap.
Post by Atif Ghaffar
What to look out on the real smtp server?
Does the actual IP goes to the real smtp server?
MTA can know client's IP also from XCLIENT command.
--
Anton Yuzhaninov
--
best regards
Atif Ghaffar
Anton Yuzhaninov
2009-04-04 21:30:34 UTC
Permalink
Post by Atif Ghaffar
If I correctly undrestood,
1. nginx as smtp proxy is useful when using smtp auth. (to dispatch to
different backends)
IMHO nginx as smtp proxy with auth useful only to reuse auth server created for pop/imap proxy.

For pop3/imap nginx need for proxing different users to different backend (where mail stored).
In smtp message can be send via random server.

nginx can be used for load balancing between different servers with MTA, but for load-balancing
only better to use something like IPVS (in Linux) or pf (in BSD).
Post by Atif Ghaffar
2. nginx as smtp proxy is useful when not using smtp auth. (to do ip
based checks)
Without auth (incoming mail) nginx can be used to save resources if only ip not in RBL proxied
to servers with MTA.

But I don't know is current nginx version used anywhere in production as smtp proxy without
auth. IMHO it not ready for production, because of lack smtp pipelining support. Some MTA
(probably some sendmail versions/configs) have bad habit to use pipelining even if it support
not adversed in EHLO reply.
--
Anton Yuzhaninov
Maxim Dounin
2009-04-04 23:40:07 UTC
Permalink
Hello!
Post by Anton Yuzhaninov
Post by Atif Ghaffar
If I correctly undrestood,
1. nginx as smtp proxy is useful when using smtp auth. (to dispatch to
different backends)
IMHO nginx as smtp proxy with auth useful only to reuse auth server created for pop/imap proxy.
For pop3/imap nginx need for proxing different users to different backend (where mail stored).
In smtp message can be send via random server.
nginx can be used for load balancing between different servers with MTA,
but for load-balancing only better to use something like IPVS (in Linux)
or pf (in BSD).
No, you are somewhat wrong here. As smtp proxy with auth nginx is
really very usefull to move load away from traditional
process-per-connection smtp servers (until user is authenticated).
This saves lots of resources when you have many invalid
connections (e.g. initiated by malware, bruteforce attacks etc.).

This may not be an issue unless you run big mail server
though.
Post by Anton Yuzhaninov
Post by Atif Ghaffar
2. nginx as smtp proxy is useful when not using smtp auth. (to do ip
based checks)
Without auth (incoming mail) nginx can be used to save resources if only
ip not in RBL proxied to servers with MTA.
But I don't know is current nginx version used anywhere in production as
smtp proxy without auth. IMHO it not ready for production, because of
lack smtp pipelining support. Some MTA (probably some sendmail
versions/configs) have bad habit to use pipelining even if it support
not adversed in EHLO reply.
Yes.

Support for smtp pipelining may be found here:
http://mdounin.ru/hg/nginx-mail

Maxim Dounin
blacktux
2009-04-21 14:24:57 UTC
Permalink
Does anyone have a example config of SMTP without Auth they could post in this thread? I am just trying to get going a SMTP Relay Proxy to a internal MTAs from external connections. Or could please point me in the correct direction.
Cheers

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,786,1267#msg-1267
Continue reading on narkive:
Loading...