Opened 2 years ago
Closed 23 months ago
#2566 closed defect (invalid)
mail_proxy_module proxy_smtp_auth not respecting AUTH capabilities of backend
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | 1.22.x |
| Keywords: | Cc: | ||
| uname -a: | Linux localhost 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.22.1
built with OpenSSL 3.0.8 7 Feb 2023 (running with OpenSSL 3.0.11 19 Sep 2023) TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-AoTv4W/nginx-1.22.1=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=stderr --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_secure_link_module --with-http_sub_module --with-mail_ssl_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-http_geoip_module=dynamic --with-http_image_filter_module=dynamic --with-http_perl_module=dynamic --with-http_xslt_module=dynamic --with-mail=dynamic --with-stream=dynamic --with-stream_geoip_module=dynamic |
||
Description
When nginx is proxying smtp auth it always uses "AUTH PLAIN <base64-encoded-username-and-passsword>" when trying to authenticate, despite the backend only offers "AUTH LOGIN".
This is the traffic between nginx and the backend:
Change History (3)
comment:1 by , 2 years ago
comment:2 by , 2 years ago
The only AUTH mechanism for SMTP backends nginx supports is AUTH PLAIN. If AUTH PLAIN is not supported by the backend, current behaviour of unconditionally using AUTH PLAIN this is expected to result in a meaningful error message - which can be seen in the listing you've provided. If AUTH PLAIN is not supported by the backend, an obvious fix would be to switch off proxy_smtp_auth.
If you think that this behaviour has some noticeable downsides, and nginx should do something different, for example, parse EHLO AUTH response and fail with an internal error as long AUTH PLAIN is not supported, please elaborate.
comment:3 by , 23 months ago
| Component: | documentation → nginx-module |
|---|---|
| Resolution: | → invalid |
| Status: | new → closed |
Feedback timeout.
Please change the component to "module".