Question about Postfix/Nginx integration / XCLIENT support

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Question about Postfix/Nginx integration / XCLIENT support

Marty Lee
Hi,

I’m playing with using Nginx as an IMAP and SMTP proxy for our mail servers,
as it will help us migrate and horizontally scale. Sorted the Nginx/Cyrus
stuff out, and can proxy IMAP sessions to multiple back end mail servers.

The problem I'm having, is trying to use a standard mail client to send email,
and I think there is a high chance I’ve missed some important configuration
command, or maybe just misunderstood what’s going on - hence this email.

Quick summary:

Postfix on the mail server seems to be ignoring the XCLIENT ’LOGIN’ passed
to it via Nginx, and Postfix on the mail server thinks I’m trying to
relay email, and blocks it.

If I point a mail client at Postfix on the mail server directly, it
authenticates and then accepts email as per expected, so the authentication
piece is fine.

Longer version:

What I see:

email client -> nginx running on port 25 with the mail module configured.

email client does an ‘AUTH LOGIN’, which Nginx uses to authenticate the
session, and the return from the ‘auth’ script points Nginx at the mail
server, port 25. So far so good - all expected.

Nginx then opens a connection to postfix on the mail server, and postfix
responds with the ‘XCLIENT’ option - so postfix is allowing ‘xclient’ on
this session. When the MAIL FROM / RCPT TO are issued, Postfix on the
mail server seems to forget/ignore the ‘LOGIN’ details passed through
the ‘XCLIENT’ option.

Protocol level:

Nginx (mull.maui.co.uk) opens connection to mail server (coll.maui.co.uk):

mail server -> Nginx : 220 coll.maui.co.uk ESMTP Postfix

Nginx -> mail server : EHLO mull.maui.co.uk

mail server -> Nginx : 250-coll.maui.co.uk
mail server -> Nginx : 250-PIPELINING
mail server -> Nginx : 250-SIZE 62914560
mail server -> Nginx : 250-ETRN
mail server -> Nginx : 250-STARTTLS
mail server -> Nginx : 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN
mail server -> Nginx : 250-ENHANCEDSTATUSCODES

Nginx -> mail server : XCLIENT ADDR=192.168.2.124 LOGIN=marty NAME=[UNAVAILABLE]

mail server -> Nginx : 220 coll.maui.co.uk ESMTP Postfix

Nginx -> mail server : EHLO maui.co.uk

mail server -> Nginx : 250-coll.maui.co.uk
mail server -> Nginx : 250-PIPELINING
mail server -> Nginx : 250-SIZE 62914560
mail server -> Nginx : 250-ETRN
mail server -> Nginx : 250-STARTTLS
mail server -> Nginx : 250-ENHANCEDSTATUSCODES

However, once the MAIL FROM and RCPT TO are passed, I get the following on the
mail server:

NOQUEUE: reject: RCPT from unknown[192.168.2.124]: 454 4.7.1 <[hidden email]>: Relay access denied; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<maui.co.uk>

Which shows that postfix has taken the ‘ADDR’ part of the XCLIENT request, as
that’s now showing the IP address of the client I’m playing with, rather than
the Nginx IP address.

Whereas on a normal authenticated login, Postfix displays:

Mar  9 19:15:02 coll postfix/smtpd[3615]: [ID 197553 mail.info] 5C77A1C610: clie
nt=unknown[192.168.2.124], sasl_method=PLAIN, sasl_username=marty

So the question, is why does Postfix not take the authenticated name from the
XCLIENT ‘LOGIN’ option and treat it the same as if the user had authenticated directly,
or am I missing something fundamental?

Postfix 2.11.9

I have set up
smtpd_authorized_xclient_hosts = hash:/etc/postfix/trusted

and the /etc/postfix/trusted hash has the IP address of the Nginx proxy,
which is making it offer ‘XCLIENT’ as an option to the Nginx proxy session.

Is there something else that I need to configure to tell Postfix to trust
the ‘LOGIN’ value to be equivalent to a sasl_username ?

I’ll go poking about with the code, but for now, thought I’d ask here and
see if anyone has any ideas…..

Cheers, and thanks for the patience to read this far….

marty



Reply | Threaded
Open this post in threaded view
|

Re: Question about Postfix/Nginx integration / XCLIENT support

Marty Lee

> On 9 Mar 2017, at 20:28, Marty Lee <[hidden email]> wrote:
>
> Hi,
>
> I’m playing with using Nginx as an IMAP and SMTP proxy for our mail servers,
> as it will help us migrate and horizontally scale. Sorted the Nginx/Cyrus
> stuff out, and can proxy IMAP sessions to multiple back end mail servers.
>
> The problem I'm having, is trying to use a standard mail client to send email,
> and I think there is a high chance I’ve missed some important configuration
> command, or maybe just misunderstood what’s going on - hence this email.
>
> Quick summary:
>
> Postfix on the mail server seems to be ignoring the XCLIENT ’LOGIN’ passed
> to it via Nginx, and Postfix on the mail server thinks I’m trying to
> relay email, and blocks it.
>
> If I point a mail client at Postfix on the mail server directly, it
> authenticates and then accepts email as per expected, so the authentication
> piece is fine.
>

To answer my own question, and for the benefit of anyone else looking at
this problem, the problem was:

 smtpd_tls_auth_only = yes

Nginx makes a connection to Postfix on port 25, and doesn’t start a TLS
session, so the SMTP response to EHLO didn’t include any ‘AUTH’ statements.

If I switch things to

 smtpd_tls_auth_only = no

then the AUTH option is presented, and the XCLIENT ‘LOGIN’ value is picked
up and used properly.

I don’t want to leave 'smtpd_tls_auth_only = no’, so I’ll set up an stunnel
so that Nginx uses an SSL tunnel to get to Postfix, and Postfix will then
offer up AUTH options.

Unless anyone has any other bright ideas that would let me set options
for smtpd_tls_auth_only on a per interface/port basis?

Cheers

marty


Reply | Threaded
Open this post in threaded view
|

Re: Question about Postfix/Nginx integration / XCLIENT support

Noel Jones-2
On 3/9/2017 5:23 PM, Marty Lee wrote:

> Unless anyone has any other bright ideas that would let me set options
> for smtpd_tls_auth_only on a per interface/port basis?


You can add an override on a specific smtpd listener IP:port in
master.cf.

Something like:

# master.cf
192.168.1.50:2525  inet  n  -  n   -   -   smtpd
  -o smtpd_tls_auth_only=no

If you use an stunnel connection (good idea!), you'll need to set
wrappermode on that port so you don't have to run the whole server
in wrappermode.
  -o smtpd_tls_wrappermode=yes

Other options will be picked up from main.cf.
See the master.cf and smtpd man pages for details.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Question about Postfix/Nginx integration / XCLIENT support

Marty Lee

> On 10 Mar 2017, at 16:02, Noel Jones <[hidden email]> wrote:
>
> You can add an override on a specific smtpd listener IP:port in
> master.cf.
>
> Something like:
>
> # master.cf
> 192.168.1.50:2525  inet  n  -  n   -   -   smtpd
>  -o smtpd_tls_auth_only=no

Thanks Noel - I’d forgotten completely about master.cf; spent too
much time looking at main.cf for options.. doh…

marty
Reply | Threaded
Open this post in threaded view
|

Re: Question about Postfix/Nginx integration / XCLIENT support

Marty Lee
In reply to this post by Noel Jones-2

> On 10 Mar 2017, at 16:02, Noel Jones <[hidden email]> wrote:
>
> You can add an override on a specific smtpd listener IP:port in
> master.cf.
>
> Something like:
>
> # master.cf
> 192.168.1.50:2525  inet  n  -  n   -   -   smtpd
> -o smtpd_tls_auth_only=no

Thanks Noel - I’d forgotten completely about master.cf; spent too
much time looking at main.cf for options.. doh…

marty