==> a) My mail client can authenticate (IP:yy.yyy.yy.yy), send email
and
receive email (imap) - even with tls
mail.log:
connect from nginx_prox.de[xx.xxx.xx.xx]
client=unknown[yy.yyy.yy.yy], sasl_method=XCLIENT,
sasl_username=my_username
b) But no emails from others are received - obviously
everybody
has to authenticate!!
Configuration2:
smtp_auth none;
xclient on;
==> creates an open relay!
In Postfix, I have set: smtpd_authorized_xclient_hosts = xx.xxx.xx.xx
What I’d like to achive is the current postfix behaviour:
Receive emails from every Sender
Only authorized users can send emails from outside the Network
Help is appreciated… I found bits and pieces in the Forum and other
places
Well, here we go again… somehow, I’m not getting this smtp proxy to
work
with nginx.
I moved to haproxy, and this combination works ok. Creating a tcp
connection
passes over to postfix
and the postfix prompt is seen using a telnet connection - and all works
just fine.
However, I’d like to stick with nginx if possible…actually if
possible at
all!
Here are my findings - and maybe somebody can help to confirm or
disagree:
Xclient = on will basically bypass sals authorithation in postfix.
Postfix/Sasl will assume that the message is already authenticated.
All the auth login commands are basically exectuted
Xclient = off will not trigger any sals authentication in postfix.
Somehow, it seems, that the credentials are not forwarded to postfix
Is this really the expected behaviour?
IMAP behaviour is completely different. Here the authentication works
just
fine…
On Wed, Dec 30, 2015 at 08:20:27AM -0500, Cugar15 wrote:
Well, here we go again… somehow, I’m not getting this smtp proxy to work
with nginx.
I moved to haproxy, and this combination works ok. Creating a tcp connection
passes over to postfix
and the postfix prompt is seen using a telnet connection - and all works
just fine.
However, I’d like to stick with nginx if possible…actually if possible at
all!
If TCP proxying is enough in your case - you can consider
using stream proxy module instead, see here:
Here are my findings - and maybe somebody can help to confirm or disagree:
Xclient = on will basically bypass sals authorithation in postfix.
Postfix/Sasl will assume that the message is already authenticated.
All the auth login commands are basically exectuted
Yes. All information obtained by nginx is passed via the XCLIENT
command.
Xclient = off will not trigger any sals authentication in postfix.
Somehow, it seems, that the credentials are not forwarded to postfix
Yes. Authentication is checked by auth_http script, and there is
no need to do additional authentication to SMTP backend. As long
as appropriate checks are done by auth_http, it’s enough to allow
your nginx IP to submit mail.
If it’s not enough in your particular setup (e.g., you want
correct “Received” headers to be added), enable XCLIENT.
Is this really the expected behaviour?
IMAP behaviour is completely different. Here the authentication works just
fine…
Interesting, I will look into the ngx_stream_core_module
I still have one question for Xclient = on - since I’m banged my head
against it for days now:
You state: All information obtained by nginx is passed via the XCLIENT
command.
Is this true for all credentials?? Like username and password as
optained
with a ‘auth login’ sequence:
Somehow, I can find: sasl_method=XCLIENT, [email protected]
in the postfix logfile.
However, I cannot find the password information…
On Wed, Dec 30, 2015 at 10:49:06AM -0500, Cugar15 wrote:
Is this true for all credentials?? Like username and password as optained
with a ‘auth login’ sequence:
Somehow, I can find: sasl_method=XCLIENT, [email protected]
in the postfix logfile.
However, I cannot find the password information…
Passwords are not present in XCLIENT and aren’t expected to.
Authentication is done by nginx and it’s nginx responsibility to
check passwords, and it does so using auth_http service. Note
well that in many authentication methods passwords aren’t sent at
all, appropriate hashes are used instead.