# HG changeset patch # User Arnout Engelen <arn...@bzzt.net> # Date 1695027670 -7200 # Mon Sep 18 11:01:10 2023 +0200 # Node ID 9606e589b9537495c0457383048ac6888be0e7b4 # Parent daf8f5ba23d8e9955b22782d945f9c065f4b6baa Mail: allow auth to the proxy without auth to the backend
Currently, when the client authenticates itself to the nginx mail proxy, the mail proxy also authenticates itself to the backend. I encountered a situation where I wanted the proxy to require authentication, and forward the mail to a (local/firewalled) mailserver that does not have authentication configured. I created the patch below to support that. I'm providing this patch primarily for feedback at this point: while it does work for my scenario and pass the nginx-tests, it likely needs additional cleanup and testing. I'd like your thoughs on whether this change makes sense in the first place, and whether this is generally a reasonable approach - if so I'll clean up the patch further. My approach is to allow the authentication server to return a 'Auth-Method: none' header, in which case the proxy will not attempt to authenticate to the backend but instead wait for the 'MAIL FROM' from the client. You'll notice I've added a 'proxy_auth_method'. The reason I didn't overwrite 'auth_method' is that 'auth_method' is also used to determine whether to confirm the authentication to the client. Is that acceptable from a binary compatibility perspective? Looking forward to hearing your thoughts! diff -r daf8f5ba23d8 -r 9606e589b953 src/mail/ngx_mail.h --- a/src/mail/ngx_mail.h Fri Sep 01 20:31:46 2023 +0400 +++ b/src/mail/ngx_mail.h Mon Sep 18 11:01:10 2023 +0200 @@ -212,6 +212,7 @@ unsigned starttls:1; unsigned esmtp:1; unsigned auth_method:3; + unsigned proxy_auth_method:3; unsigned auth_wait:1; ngx_str_t login; diff -r daf8f5ba23d8 -r 9606e589b953 src/mail/ngx_mail_auth_http_module.c --- a/src/mail/ngx_mail_auth_http_module.c Fri Sep 01 20:31:46 2023 +0400 +++ b/src/mail/ngx_mail_auth_http_module.c Mon Sep 18 11:01:10 2023 +0200 @@ -677,6 +677,23 @@ continue; } + if (len == sizeof("Auth-Method") - 1 + && ngx_strncasecmp(ctx->header_name_start, + (u_char *) "Auth-Method", + sizeof("Auth-Method") - 1) + == 0) + { + int value_len = ctx->header_end - ctx->header_start; + if (value_len == sizeof("none") - 1 + && ngx_strncasecmp(ctx->header_start, + (u_char *) "none", + sizeof("none") - 1) + == 0) + { + s->proxy_auth_method = NGX_MAIL_AUTH_NONE; + } + } + /* ignore other headers */ continue; @@ -883,6 +900,7 @@ s->mail_state = 0; s->auth_method = NGX_MAIL_AUTH_PLAIN; + s->proxy_auth_method = NGX_MAIL_AUTH_PLAIN; c->log->action = "in auth state"; diff -r daf8f5ba23d8 -r 9606e589b953 src/mail/ngx_mail_handler.c --- a/src/mail/ngx_mail_handler.c Fri Sep 01 20:31:46 2023 +0400 +++ b/src/mail/ngx_mail_handler.c Mon Sep 18 11:01:10 2023 +0200 @@ -714,6 +714,7 @@ "mail auth cram-md5: \"%V\" \"%V\"", &s->login, &s->passwd); s->auth_method = NGX_MAIL_AUTH_CRAM_MD5; + s->proxy_auth_method = NGX_MAIL_AUTH_CRAM_MD5; return NGX_DONE; } @@ -748,6 +749,7 @@ "mail auth external: \"%V\"", &s->login); s->auth_method = NGX_MAIL_AUTH_EXTERNAL; + s->proxy_auth_method = NGX_MAIL_AUTH_EXTERNAL; return NGX_DONE; } diff -r daf8f5ba23d8 -r 9606e589b953 src/mail/ngx_mail_pop3_handler.c --- a/src/mail/ngx_mail_pop3_handler.c Fri Sep 01 20:31:46 2023 +0400 +++ b/src/mail/ngx_mail_pop3_handler.c Mon Sep 18 11:01:10 2023 +0200 @@ -464,6 +464,7 @@ "pop3 apop: \"%V\" \"%V\"", &s->login, &s->passwd); s->auth_method = NGX_MAIL_AUTH_APOP; + s->proxy_auth_method = NGX_MAIL_AUTH_APOP; return NGX_DONE; } diff -r daf8f5ba23d8 -r 9606e589b953 src/mail/ngx_mail_proxy_module.c --- a/src/mail/ngx_mail_proxy_module.c Fri Sep 01 20:31:46 2023 +0400 +++ b/src/mail/ngx_mail_proxy_module.c Mon Sep 18 11:01:10 2023 +0200 @@ -605,8 +605,12 @@ if (pcf->xclient) { s->mail_state = ngx_smtp_helo_xclient; - } else if (s->auth_method == NGX_MAIL_AUTH_NONE) { - s->mail_state = ngx_smtp_helo_from; + } else if (s->proxy_auth_method == NGX_MAIL_AUTH_NONE) { + if (s->smtp_from.len) { + s->mail_state = ngx_smtp_helo_from; + } else { + s->mail_state = ngx_smtp_helo; + } } else if (pcf->smtp_auth) { s->mail_state = ngx_smtp_helo_auth; @@ -667,8 +671,12 @@ if (s->smtp_helo.len) { s->mail_state = ngx_smtp_xclient_helo; - } else if (s->auth_method == NGX_MAIL_AUTH_NONE) { - s->mail_state = ngx_smtp_xclient_from; + } else if (s->proxy_auth_method == NGX_MAIL_AUTH_NONE) { + if (s->smtp_from.len) { + s->mail_state = ngx_smtp_xclient_from; + } else { + s->mail_state = ngx_smtp_xclient_helo; + } } else if (pcf->smtp_auth) { s->mail_state = ngx_smtp_xclient_auth; @@ -700,8 +708,12 @@ pcf = ngx_mail_get_module_srv_conf(s, ngx_mail_proxy_module); - if (s->auth_method == NGX_MAIL_AUTH_NONE) { - s->mail_state = ngx_smtp_helo_from; + if (s->proxy_auth_method == NGX_MAIL_AUTH_NONE) { + if (s->smtp_from.len) { + s->mail_state = ngx_smtp_helo_from; + } else { + s->mail_state = ngx_smtp_helo; + } } else if (pcf->smtp_auth) { s->mail_state = ngx_smtp_helo_auth; diff -r daf8f5ba23d8 -r 9606e589b953 src/mail/ngx_mail_smtp_handler.c --- a/src/mail/ngx_mail_smtp_handler.c Fri Sep 01 20:31:46 2023 +0400 +++ b/src/mail/ngx_mail_smtp_handler.c Mon Sep 18 11:01:10 2023 +0200 @@ -820,6 +820,7 @@ "smtp rcpt to:\"%V\"", &s->smtp_to); s->auth_method = NGX_MAIL_AUTH_NONE; + s->proxy_auth_method = NGX_MAIL_AUTH_NONE; return NGX_DONE; } _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel