Opened 3 years ago

Closed 5 months ago

#1899 closed enhancement (wontfix)

Enhance mail module with access control like ngx_http_access_module module

Reported by: weishen@… Owned by:
Priority: major Milestone:
Component: nginx-module Version: 1.16.x
Keywords: Cc:
uname -a:
nginx -V: nginx version: nginx/1.16.1
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)
built with OpenSSL 1.0.1e 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/opt/apps_install/nginx-1.16.1 --with-stream --with-stream_realip_module --with-mail --with-mail_ssl_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-pcre --with-ld-opt=-Wl,-rpath,/opt/nginx-1.16.1/lua/lib --add-module=../nginx-upload-progress-module --add-module=../ngx_cache_purge-2.3 --add-module=../headers-more-nginx-module --add-module=../nginx_upstream_check_module --with-openssl=../openssl-1.0.1e --with-zlib=../zlib-1.2.3 --add-module=../lua-nginx-module

Description

We are running nginx as the mail proxy, but there are lots of invalid authentiations every day. We have got some ips to block, but found the mail module lacks deny/allow directives as ngx_http_access_module, so please add the feature.
By the way, we have tried the stream module as a proxy to mail block.

worker_processes  8;
user root;

events {
    use epoll;
    worker_connections  10240;
}

pid       /opt/work/log/nginx_pop.pid;
error_log /opt/work/log/error_pop.log error;

mail {
    auth_http          127.0.0.1:8080/auth;
    timeout            5000;
    proxy              on;
    xclient            on;
    server {
    listen              127.0.0.1:1100;
    protocol            pop3;

}


}

stream {
    # deny IP
    include includes/deny_ip.conf;
    upstream @pop_up {
        server 127.0.0.1:1100;
    }

    # POP
    # =============================
    server {
        listen 110;
        proxy_pass @pop_up;
        #proxy_pass 127.0.0.1:1100;
     }
}

This method will not set the correct Client-IP header for the auth_http, all is 127.0.0.1, it impacts our analysis from the malicious flow.

Change History (1)

comment:1 by Maxim Dounin, 5 months ago

Resolution: wontfix
Status: newclosed

By design of the mail module, access checks as well as various rate limits are expected to be done by the auth_http script along with authentication. As such, usefulness of access checks in the mail module itself is quite limited.

Note: See TracTickets for help on using tickets.