Nginx [yes / no] [NP-AG8-1] mail proxy server

explain

  • NP: NGINX Plus
  • AG: Admin Guide
  • Session: session
  • Upstream: upstream
  • traffic: traffic
  • Backend: backend
  • Area: zone
  • Slices: slices
  • location: location
  • Root: root
  • Terminal: termination
  • Endpoint: endpoint

catalogue

1. Configure NGINX as a mail proxy server

2. Introduction

3. Conditions precedent

4. Configure SMTP/IMAP/POP3 mail proxy server

5. Set up authentication for the mail agent

6. Set SSL/TLS for mail proxy

7. Optimize SSL/TLS for mail proxy

8. Complete example

1. Configure NGINX as a mail proxy server

Use NGINX or NGINX Plus as a proxy for IMAP, POP3 and SMTP protocols to simplify e-mail services and improve their performance.

This article explains how to configure NGINX Plus or NGINX Open Source as a proxy for a mail server or external mail service.

2. Introduction

NGINX can proxy IMAP, POP3, and SMTP protocols to one of the upstream mail servers hosting mail accounts, so it can be used as a single endpoint for e-mail clients. This may bring many benefits, such as:

  • Easily expand the number of mail servers
  • Select the mail server according to different rules, for example, select the nearest server according to the IP address of the client
  • Distribute load between mail servers

3. Conditions precedent

  • NGINX Plus (already includes the mail module required to proxy e-mail traffic) or NGINX Open Source uses the -- with mail parameter for e-mail proxy function and -- with mail for SSL/TLS support_ ssl_ Module parameter to compile the mail module:
$ ./configure --with-mail --with-mail_ssl_module --with-openssl=[DIR]/openssl-1.1.1
  • IMAP, POP3, and / or SMTP mail servers or external mail services

4. Configure SMTP/IMAP/POP3 mail proxy server

In the NGINX configuration file:

1. Create top level <code>mail</code> Context (defined between and <code>http</code> Context (same level):

mail {
    #...
}

2. Use <code>server_name</code> Directive specifies the name of the mail server:

mail {
   server_name mail.example.com;
    #...
}

3. Use <code>auth_http</code> Directive specifies the HTTP authentication server. The authentication server will authenticate the e-mail client, select the upstream server for e-mail processing, and report errors.

mail {
    server_name mail.example.com;
    auth_http   localhost:9000/cgi-bin/nginxauth.cgi;
    #...
}

4. By designation <code>proxy_pass_error_message</code> Directive to specify whether to notify the user of errors from the authentication server. This may be convenient when the mailbox is low on memory:

mail {
    server_name mail.example.com;
    auth_http   localhost:9000/cgi-bin/nginxauth.cgi;

    proxy_pass_error_message on;
    #...
}

5. Use <code>server</code> Block to configure each SMTP, IMAP, or POP3 server.

server {
    listen    25;
    protocol  smtp;
    smtp_auth login plain cram-md5;
} 

server {
    listen    110;
    protocol  pop3;
    pop3_auth plain apop cram-md5;
}

server {
    listen   143;
    protocol imap;
}

5. Set up authentication for the mail agent

Each POP3/IMAP/SMTP request from the client will first be authenticated on an external HTTP authentication server or through an authentication script. The NGINX mail server proxy must have an authentication server. The server can follow the protocol based on HTTP NGINX authentication protocol Create your own.

If the authentication is successful, the authentication server will select an upstream server and redirect the request. In this case, the response from the server will contain the following lines:

HTTP/1.0 200 OK
Auth-Status: OK
Auth-Server: <host> # the server name or IP address of the upstream server that will used for mail processing
Auth-Port: <port> # the port of the upstream server

If the authentication fails, the authentication server will return an error message. In this case, the response from the server will contain the following lines:

HTTP/1.0 200 OK
Auth-Status: <message> # an error message to be returned to the client, for example "Invalid login or password"
Auth-Wait: <number> # the number of remaining authentication attempts until the connection is closed

Note that in both cases, the response will contain HTTP/1.0 200 OK, which can be confusing.

For more examples of requests and responses from an authentication server, see Refer to NGINX reference documentation Medium ngx_mail_auth_http_module.

6. Set SSL/TLS for mail proxy

Using POP3/SMTP/IMAP through SSL/TLS can ensure that the data transmitted between the client and the mail server is secure.

Enable SSL/TLS for mail proxy:

1. Enter nginx -V on the command line, and then look for "with -- mail" in the output_ ssl_ Module line to ensure that NGINX is configured with SSL/TLS support:

$ nginx -V
configure arguments: ... with--mail_ssl_module

2. Ensure that the server certificate and private key have been obtained and placed on the server. Certificates can be obtained from a trusted certification authority (CA) or generated using an SSL library such as OpenSSL.

3. Use <code>ssl</code> Directive enables SSL/TLS for the mail agent. If in <code>mail</code> If a directive is specified in the context, SSL/TLS is enabled for all mail proxy servers. You can also use <code>starttls</code> Command enable STLS and STARTTLS:

ssl on;

perhaps

starttls on;

4. Add SSL certificate: use <code>ssl_certificate</code> Directive specifies the path of the certificate (must be in PEM format), and <code>ssl_certificate_key</code> Path to private key specified in directive:

mail {
    #...
    ssl_certificate     /etc/ssl/certs/server.crt;
    ssl_certificate_key /etc/ssl/certs/server.key;
}

5. Use only those with <code>ssl_protocols</code> and <code>ssl_ciphers</code> Strong SSL/TLS version and password of the instruction, or you can set your own preferred protocol and password:

mail {
    #...
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers   HIGH:!aNULL:!MD5;
}

7. Optimize SSL/TLS for mail proxy

These tips will help NGINX mail agent to be faster and more secure:

1. Use <code>worker_processes</code> Instruction in and <code>mail</code> Set the number of worker processes at the same level as the context equal to the number of processors:

worker_processes auto;
mail {
    #...
}

2. Use <code>ssl_session_cache</code> Directive enables shared session caching and disables built-in session caching:

worker_processes auto;

mail {
    #...
    ssl_session_cache shared:SSL:10m;
    #...
}

3. Can be used <code>ssl_session_timeout</code> The instruction increases the session lifetime, which is 5 minutes by default:

worker_processes auto;

mail {
    #...
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;
    #...
}

8. Complete example

worker_processes auto;

mail {
    server_name mail.example.com;
    auth_http   localhost:9000/cgi-bin/nginxauth.cgi;

    proxy_pass_error_message on;

    ssl                 on;
    ssl_certificate     /etc/ssl/certs/server.crt;
    ssl_certificate_key /etc/ssl/certs/server.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;

    server {
        listen     25;
        protocol   smtp;
        smtp_auth  login plain cram-md5;
    }

    server {
        listen    110;
        protocol  pop3;
        pop3_auth plain apop cram-md5;
}

     server {
        listen   143;
        protocol imap;
    }
}

In this example, there are three e-mail proxy servers: SMTP, POP3, and IMAP. Each server is configured with SSL and STARTTLS support. SSL session parameters will be cached.

The proxy server uses an HTTP authentication server -- its configuration is beyond the scope of this article. All error messages from the server are returned to the client.
 

Keywords: Nginx

Added by ysu on Wed, 19 Jan 2022 01:31:33 +0200