1

Everyone! Introduce: I Have some devices, which work only with TLS 1.1 version. New version MS Exchange doesn't include it and I'm searching a solution. I found information that Nginx can accept incoming connection to SMTP TLS1.1 "digest" and forward with TLS1.2 (and high) to another server. *Might, It wrong way. Any advices can help me.

Today, I try it and what I did:

  1. Compiled Nginx with: --with-mail --with-mail_ssl_module --with-openssl=OpenSSL_1_1_1
  2. Created simple auth-script, which check and respond:
Auth-Status: OK Auth-Server: 172.16.2.8 <-- ip address mail server MS Exchange Auth-Port: 25

Script on python bellow:

from flask import Flask, request, Response app = Flask(__name__) @app.route("/auth", methods=["GET", "POST"]) def auth(): username = request.headers.get("Auth-User") client_ip = request.headers.get("Client-IP") print(f"[auth] User: {username}, IP: {client_ip}") return Response( "Auth-Status: OK\r\n" "Auth-Server: 172.16.2.8\r\n" "Auth-Port: 25\r\n", mimetype="text/plain" ) if __name__ == "__main__": app.run(host="127.0.0.1", port=9000)
  1. Created configuration for nginx.conf
mail { server_name nginx.example.com; <-- DNS name Nginx server auth_http localhost:9000/auth; <-- Script authorization proxy_pass_error_message on; error_log /var/log/nginx/mail_error.log debug; ssl on; ssl_certificate /etc/nginx/certs/server.crt; ssl_certificate_key /etc/nginx/certs/server.key; ssl_protocols TLSv1 TLSv1.1; ssl_ciphers HIGH:!aNULL:!MD5; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; server { listen 25; protocol smtp; smtp_auth login plain cram-md5; } server { listen 110; protocol pop3; pop3_auth plain apop cram-md5; } server { listen 143; protocol imap; } }

When I try to connect on port 25, I don't see that Nginx is trying to forward the request to MS Exchange. I analized traffic using tcpdump, see only incoming connection and respond Nginx to client.

in file /var/log/nginx/mail_error.log

 2025/04/15 12:52:41 [info] 71066#0: *6 client 10.172.4.23:41638 connected to 0.0.0.0:25

Visualization: picture1

Improve this question
12
  • "Created simple auth-script, ..." - please provide the script. "see only incoming connection and respond Nginx to client" - more details about the actual traffic would be useful. Please use tools like swaks to provide details about the exchange between the client and nginx. Please provide these information by editing the question, not dumping in a comment. Commented Apr 15 at 13:22
  • Did you check that your auth-server a) is running (nginx expects it to run, will not start it) and b) provides the expected response? Commented Apr 15 at 13:34
  • 1
    apart from that, all ports you have configured are generally used without encryption. SMTPS is used on port 465, POP3S on 995, IMAPS on 993. Commented Apr 15 at 13:46
  • 1
    The Auth-... should be send as HTTP headers in the auth script, not as HTTP body Commented Apr 15 at 14:13
  • 1
    @SteffenUllrich. You are absolutely right. I changed it and my traffic started to be redirected. Thank you very much! Commented Apr 15 at 14:25

1 Answer 1

Reset to default
1

Problem was that I sent HTTP respond as HTTP body. Have to send as HTTP headers.

Thank you @SteffenUllrich for solution!

Updated script

from flask import Flask, request, Response app = Flask(__name__) @app.route("/auth", methods=["GET", "POST"]) def auth(): username = request.headers.get("Auth-User") client_ip = request.headers.get("Client-IP") print(f"[auth] User: {username}, IP: {client_ip}") headers = { "Auth-Status": "OK", "Auth-Server": "172.16.2.8", "Auth-Port": "25", } return Response("", headers=headers, mimetype="text/plain") if __name__ == "__main__": app.run(host="127.0.0.1", port=9000)
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.