explain
- NP: NGINX Plus
- AG: Admin Guide
- Session: session
- Upstream: upstream
- traffic: traffic
- Backend: backend
- Area: zone
- Slices: slices
- location: location
- Root: root
- Terminal: termination
- Endpoint: endpoint
catalogue
1. Configure NGINX as a mail proxy server
4. Configure SMTP/IMAP/POP3 mail proxy server
5. Set up authentication for the mail agent
7. Optimize SSL/TLS for mail proxy
1. Configure NGINX as a mail proxy server
Use NGINX or NGINX Plus as a proxy for IMAP, POP3 and SMTP protocols to simplify e-mail services and improve their performance.
This article explains how to configure NGINX Plus or NGINX Open Source as a proxy for a mail server or external mail service.
2. Introduction
NGINX can proxy IMAP, POP3, and SMTP protocols to one of the upstream mail servers hosting mail accounts, so it can be used as a single endpoint for e-mail clients. This may bring many benefits, such as:
- Easily expand the number of mail servers
- Select the mail server according to different rules, for example, select the nearest server according to the IP address of the client
- Distribute load between mail servers
3. Conditions precedent
- NGINX Plus (already includes the mail module required to proxy e-mail traffic) or NGINX Open Source uses the -- with mail parameter for e-mail proxy function and -- with mail for SSL/TLS support_ ssl_ Module parameter to compile the mail module:
$ ./configure --with-mail --with-mail_ssl_module --with-openssl=[DIR]/openssl-1.1.1
- IMAP, POP3, and / or SMTP mail servers or external mail services
4. Configure SMTP/IMAP/POP3 mail proxy server
In the NGINX configuration file:
1. Create top level <code>mail</code> Context (defined between and <code>http</code> Context (same level):
mail {
#...
}2. Use <code>server_name</code> Directive specifies the name of the mail server:
mail {
server_name mail.example.com;
#...
}3. Use <code>auth_http</code> Directive specifies the HTTP authentication server. The authentication server will authenticate the e-mail client, select the upstream server for e-mail processing, and report errors.
mail {
server_name mail.example.com;
auth_http localhost:9000/cgi-bin/nginxauth.cgi;
#...
}4. By designation <code>proxy_pass_error_message</code> Directive to specify whether to notify the user of errors from the authentication server. This may be convenient when the mailbox is low on memory:
mail {
server_name mail.example.com;
auth_http localhost:9000/cgi-bin/nginxauth.cgi;
proxy_pass_error_message on;
#...
}5. Use <code>server</code> Block to configure each SMTP, IMAP, or POP3 server.
- With <code>listen</code> The port number corresponding to the specified protocol of the instruction
- have <code>protocol</code> The protocol of the instruction (if not specified, it will be from <code>listen</code> Port specified in directive (auto detect)
- Allow use <code>imap_auth</code> , <code>pop3_auth</code> And <code>smtp_auth</code> Authentication method for directive:
server {
listen 25;
protocol smtp;
smtp_auth login plain cram-md5;
}
server {
listen 110;
protocol pop3;
pop3_auth plain apop cram-md5;
}
server {
listen 143;
protocol imap;
}5. Set up authentication for the mail agent
Each POP3/IMAP/SMTP request from the client will first be authenticated on an external HTTP authentication server or through an authentication script. The NGINX mail server proxy must have an authentication server. The server can follow the protocol based on HTTP NGINX authentication protocol Create your own.
If the authentication is successful, the authentication server will select an upstream server and redirect the request. In this case, the response from the server will contain the following lines:
HTTP/1.0 200 OK Auth-Status: OK Auth-Server: <host> # the server name or IP address of the upstream server that will used for mail processing Auth-Port: <port> # the port of the upstream server
If the authentication fails, the authentication server will return an error message. In this case, the response from the server will contain the following lines:
HTTP/1.0 200 OK Auth-Status: <message> # an error message to be returned to the client, for example "Invalid login or password" Auth-Wait: <number> # the number of remaining authentication attempts until the connection is closed
Note that in both cases, the response will contain HTTP/1.0 200 OK, which can be confusing.
For more examples of requests and responses from an authentication server, see Refer to NGINX reference documentation Medium ngx_mail_auth_http_module.
6. Set SSL/TLS for mail proxy
Using POP3/SMTP/IMAP through SSL/TLS can ensure that the data transmitted between the client and the mail server is secure.
Enable SSL/TLS for mail proxy:
1. Enter nginx -V on the command line, and then look for "with -- mail" in the output_ ssl_ Module line to ensure that NGINX is configured with SSL/TLS support:
$ nginx -V configure arguments: ... with--mail_ssl_module
2. Ensure that the server certificate and private key have been obtained and placed on the server. Certificates can be obtained from a trusted certification authority (CA) or generated using an SSL library such as OpenSSL.
3. Use <code>ssl</code> Directive enables SSL/TLS for the mail agent. If in <code>mail</code> If a directive is specified in the context, SSL/TLS is enabled for all mail proxy servers. You can also use <code>starttls</code> Command enable STLS and STARTTLS:
ssl on;
perhaps
starttls on;
4. Add SSL certificate: use <code>ssl_certificate</code> Directive specifies the path of the certificate (must be in PEM format), and <code>ssl_certificate_key</code> Path to private key specified in directive:
mail {
#...
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/certs/server.key;
}5. Use only those with <code>ssl_protocols</code> and <code>ssl_ciphers</code> Strong SSL/TLS version and password of the instruction, or you can set your own preferred protocol and password:
mail {
#...
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
}7. Optimize SSL/TLS for mail proxy
These tips will help NGINX mail agent to be faster and more secure:
1. Use <code>worker_processes</code> Instruction in and <code>mail</code> Set the number of worker processes at the same level as the context equal to the number of processors:
worker_processes auto;
mail {
#...
}2. Use <code>ssl_session_cache</code> Directive enables shared session caching and disables built-in session caching:
worker_processes auto;
mail {
#...
ssl_session_cache shared:SSL:10m;
#...
}3. Can be used <code>ssl_session_timeout</code> The instruction increases the session lifetime, which is 5 minutes by default:
worker_processes auto;
mail {
#...
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
#...
}8. Complete example
worker_processes auto;
mail {
server_name mail.example.com;
auth_http localhost:9000/cgi-bin/nginxauth.cgi;
proxy_pass_error_message on;
ssl on;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/certs/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server {
listen 25;
protocol smtp;
smtp_auth login plain cram-md5;
}
server {
listen 110;
protocol pop3;
pop3_auth plain apop cram-md5;
}
server {
listen 143;
protocol imap;
}
}In this example, there are three e-mail proxy servers: SMTP, POP3, and IMAP. Each server is configured with SSL and STARTTLS support. SSL session parameters will be cached.
The proxy server uses an HTTP authentication server -- its configuration is beyond the scope of this article. All error messages from the server are returned to the client.