Opened 11 months ago
Closed 10 months ago
#2566 closed defect (invalid)
mail_proxy_module proxy_smtp_auth not respecting AUTH capabilities of backend
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-module | Version: | 1.22.x |
Keywords: | Cc: | ||
uname -a: | Linux localhost 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.22.1
built with OpenSSL 3.0.8 7 Feb 2023 (running with OpenSSL 3.0.11 19 Sep 2023) TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-AoTv4W/nginx-1.22.1=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=stderr --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_secure_link_module --with-http_sub_module --with-mail_ssl_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-http_geoip_module=dynamic --with-http_image_filter_module=dynamic --with-http_perl_module=dynamic --with-http_xslt_module=dynamic --with-mail=dynamic --with-stream=dynamic --with-stream_geoip_module=dynamic |
Description
When nginx is proxying smtp auth it always uses "AUTH PLAIN <base64-encoded-username-and-passsword>" when trying to authenticate, despite the backend only offers "AUTH LOGIN".
This is the traffic between nginx and the backend:
220 exchange-backend Microsoft ESMTP MAIL Service ready at Mon, 20 Nov 2023 12:15:10 +0100 EHLO localhost 250-exchange-backend Hello [10.0.0.11] 250-SIZE 37748736 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-AUTH LOGIN 250-8BITMIME 250-BINARYMIME 250-CHUNKING 250 SMTPUTF8 AUTH PLAIN dGVzdAAxMjM0Cg== 504 5.7.4 Unrecognized authentication type
Change History (3)
comment:1 by , 11 months ago
comment:2 by , 11 months ago
The only AUTH mechanism for SMTP backends nginx supports is AUTH PLAIN. If AUTH PLAIN is not supported by the backend, current behaviour of unconditionally using AUTH PLAIN this is expected to result in a meaningful error message - which can be seen in the listing you've provided. If AUTH PLAIN is not supported by the backend, an obvious fix would be to switch off proxy_smtp_auth.
If you think that this behaviour has some noticeable downsides, and nginx should do something different, for example, parse EHLO AUTH response and fail with an internal error as long AUTH PLAIN is not supported, please elaborate.
comment:3 by , 10 months ago
Component: | documentation → nginx-module |
---|---|
Resolution: | → invalid |
Status: | new → closed |
Feedback timeout.
Please change the component to "module".