Smtps mail proxy

Server NGINX
1

Hello,

I seek advice on configuring nginx as a mail proxy.

PREMISSES

The existing system is based upon postfix and dovecot.
The system delivers “n” virtual domains, say, mx.example_1.org,
mx.example_2.org, …, mx.example_n.org, all behind a single IP.

There is no “shared” (Subject Alternative Name) certificate, because
adding

or releasing a domain would require a new shared certificate, revoquing
the
old one, and taxing the other domains for the novelty.—I refer to SAN
certs
as “condocerts” (condominium certificates): feel free to use the term
yourself.—
We are not a condo, and therefore, each domain carries its own set of
TLS
certificates, managed autonomously.

Dovecot manages nicely its side of things, with

  • per-domain “mail_location”,
  • per-domain password database,
  • per-domain TLS certificates,
  • SNI [Wiki has been closed].

Client authentication is entirely delegated to dovecot;
postfix uses SASL to dovecot’s unix socket.

PROBLEM

Postfix does not support SNI.

OUR AIM

Our aim is to add SNI to port 465 (postfix) using nginx as transparent
mail
proxy.

The following is a mock-up configuration.

mail {

proxy on;
proxy_pass_error_message on;
proxy_buffer 4k; # 4k|8k
proxy_timeout 24h;
xclient on; # Postfix XCLIENT Howto

ssl_dhparam /etc/vmail/dh2048;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # SNI supported
ssl_ciphers DHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:MAIL:10m;
#ssl_session_timeout =

#smtp_capabilities …; # pass through wanted
<-------
#smtp_auth …; # pass through wanted
<-------

server {
listen 465;
protocol smtp;
ssl on;
timeout 5s;
server_name mx.example_1.org;
#ssl_password_file /etc/vmail/example_1.org/passdb_keys; # to read
.key certificates
ssl_certificate /etc/vmail/example_1.org/ssl/mx.crt;
ssl_certificate_key /etc/vmail/example_1.org/ssl/mx.key;
}

server {
listen 465;
protocol smtp;
ssl on;
timeout 5s;
server_name mx.example_2.org;
#ssl_password_file /etc/vmail/example_2.org/passdb_keys;
ssl_certificate /etc/vmail/example_2.org/ssl/mx.crt;
ssl_certificate_key /etc/vmail/example_2.org/ssl/mx.key;
}

server {
listen 465;
protocol smtp;
ssl on;
timeout 5s;
server_name mx.example_n.org;
#ssl_password_file /etc/vmail/example_n.org/passdb_keys;
ssl_certificate /etc/vmail/example_n.com/ssl/mx.crt;
ssl_certificate_key /etc/vmail/example_n.com/ssl/mx.key;
}

}

OPEN QUESTIONS

  1. It is not clear how nginx would talk to postfix. One would expect the
    proxy to serve
    on port, say, 4650, being the port exposed by the router, masking
    postfix on
    port 465,
    but nginx does not seem to have a relevant configuration clause.

  2. Nginx refuses to start-up, demanding “auth_http”. However, we do not
    need
    to move
    authentication to nginx. What we need is a transparent proxy: nginx
    should
    listen to
    dovecot’s unix socket, just like postfix does.

Thank you for your advice, if any.

Posted at Nginx Forum:

2

On Fri, Jan 23, 2015 at 10:11:50AM -0500, 173279834462 wrote:

Hi there,

I seek advice on configuring nginx as a mail proxy.

http://nginx.org/r/mail

Our aim is to add SNI to port 465 (postfix) using nginx as transparent mail
proxy.

I do not know that TLS SNI is supported in nginx mail proxy. Have you
any documentation saying that it is?

  1. It is not clear how nginx would talk to postfix. One would expect the
    proxy to serve
    on port, say, 4650, being the port exposed by the router, masking postfix on
    port 465, but nginx does not seem to have a relevant configuration clause.

“listen” tells nginx where to listen.

“auth_http” tells nginx (eventually) where the upstream for this
connection is.

http://nginx.org/r/auth_http

  1. Nginx refuses to start-up, demanding “auth_http”. However, we do not need
    to move authentication to nginx.

That’s not (just) what auth_http is for.

nginx may not be the right tool for this job.

f

Francis D. [email protected]