Hi, I’m playing with using Nginx as an IMAP and SMTP proxy for our mail servers, as it will help us migrate and horizontally scale. Sorted the Nginx/Cyrus stuff out, and can proxy IMAP sessions to multiple back end mail servers.
The problem I'm having, is trying to use a standard mail client to send email, and I think there is a high chance I’ve missed some important configuration command, or maybe just misunderstood what’s going on - hence this email. Quick summary: Postfix on the mail server seems to be ignoring the XCLIENT ’LOGIN’ passed to it via Nginx, and Postfix on the mail server thinks I’m trying to relay email, and blocks it. If I point a mail client at Postfix on the mail server directly, it authenticates and then accepts email as per expected, so the authentication piece is fine. Longer version: What I see: email client -> nginx running on port 25 with the mail module configured. email client does an ‘AUTH LOGIN’, which Nginx uses to authenticate the session, and the return from the ‘auth’ script points Nginx at the mail server, port 25. So far so good - all expected. Nginx then opens a connection to postfix on the mail server, and postfix responds with the ‘XCLIENT’ option - so postfix is allowing ‘xclient’ on this session. When the MAIL FROM / RCPT TO are issued, Postfix on the mail server seems to forget/ignore the ‘LOGIN’ details passed through the ‘XCLIENT’ option. Protocol level: Nginx (mull.maui.co.uk) opens connection to mail server (coll.maui.co.uk): mail server -> Nginx : 220 coll.maui.co.uk ESMTP Postfix Nginx -> mail server : EHLO mull.maui.co.uk mail server -> Nginx : 250-coll.maui.co.uk mail server -> Nginx : 250-PIPELINING mail server -> Nginx : 250-SIZE 62914560 mail server -> Nginx : 250-ETRN mail server -> Nginx : 250-STARTTLS mail server -> Nginx : 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN mail server -> Nginx : 250-ENHANCEDSTATUSCODES Nginx -> mail server : XCLIENT ADDR=192.168.2.124 LOGIN=marty NAME=[UNAVAILABLE] mail server -> Nginx : 220 coll.maui.co.uk ESMTP Postfix Nginx -> mail server : EHLO maui.co.uk mail server -> Nginx : 250-coll.maui.co.uk mail server -> Nginx : 250-PIPELINING mail server -> Nginx : 250-SIZE 62914560 mail server -> Nginx : 250-ETRN mail server -> Nginx : 250-STARTTLS mail server -> Nginx : 250-ENHANCEDSTATUSCODES However, once the MAIL FROM and RCPT TO are passed, I get the following on the mail server: NOQUEUE: reject: RCPT from unknown[192.168.2.124]: 454 4.7.1 <xxxxxxx...@gmail.com>: Relay access denied; from=<xxxxx...@maui.co.uk> to=<xxxxxxx...@gmail.com> proto=ESMTP helo=<maui.co.uk> Which shows that postfix has taken the ‘ADDR’ part of the XCLIENT request, as that’s now showing the IP address of the client I’m playing with, rather than the Nginx IP address. Whereas on a normal authenticated login, Postfix displays: Mar 9 19:15:02 coll postfix/smtpd[3615]: [ID 197553 mail.info] 5C77A1C610: clie nt=unknown[192.168.2.124], sasl_method=PLAIN, sasl_username=marty So the question, is why does Postfix not take the authenticated name from the XCLIENT ‘LOGIN’ option and treat it the same as if the user had authenticated directly, or am I missing something fundamental? Postfix 2.11.9 I have set up smtpd_authorized_xclient_hosts = hash:/etc/postfix/trusted and the /etc/postfix/trusted hash has the IP address of the Nginx proxy, which is making it offer ‘XCLIENT’ as an option to the Nginx proxy session. Is there something else that I need to configure to tell Postfix to trust the ‘LOGIN’ value to be equivalent to a sasl_username ? I’ll go poking about with the code, but for now, thought I’d ask here and see if anyone has any ideas….. Cheers, and thanks for the patience to read this far…. marty
