#2566 closed defect (invalid)

mail_proxy_module proxy_smtp_auth not respecting AUTH capabilities of backend

Reported by: smoebody@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.22.x
Keywords: Cc:
uname -a: Linux localhost 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.22.1
built with OpenSSL 3.0.8 7 Feb 2023 (running with OpenSSL 3.0.11 19 Sep 2023)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-AoTv4W/nginx-1.22.1=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=stderr --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_secure_link_module --with-http_sub_module --with-mail_ssl_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-http_geoip_module=dynamic --with-http_image_filter_module=dynamic --with-http_perl_module=dynamic --with-http_xslt_module=dynamic --with-mail=dynamic --with-stream=dynamic --with-stream_geoip_module=dynamic

Description

When nginx is proxying smtp auth it always uses "AUTH PLAIN <base64-encoded-username-and-passsword>" when trying to authenticate, despite the backend only offers "AUTH LOGIN".

This is the traffic between nginx and the backend:

220 exchange-backend Microsoft ESMTP MAIL Service ready at Mon, 20 Nov 2023 12:15:10 +0100
EHLO localhost
250-exchange-backend Hello [10.0.0.11]
250-SIZE 37748736
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH LOGIN
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8
AUTH PLAIN dGVzdAAxMjM0Cg==
504 5.7.4 Unrecognized authentication type

Change History (3)

comment:1 by smoebody@…, 11 months ago

Please change the component to "module".

comment:2 by Maxim Dounin, 11 months ago

The only AUTH mechanism for SMTP backends nginx supports is AUTH PLAIN. If AUTH PLAIN is not supported by the backend, current behaviour of unconditionally using AUTH PLAIN this is expected to result in a meaningful error message - which can be seen in the listing you've provided. If AUTH PLAIN is not supported by the backend, an obvious fix would be to switch off proxy_smtp_auth.

If you think that this behaviour has some noticeable downsides, and nginx should do something different, for example, parse EHLO AUTH response and fail with an internal error as long AUTH PLAIN is not supported, please elaborate.

comment:3 by Maxim Dounin, 10 months ago

Component: documentationnginx-module
Resolution: invalid
Status: newclosed

Feedback timeout.

Note: See TracTickets for help on using tickets.