nginx@nginx.org

Mail proxy with SNI

lblankers
29.03.2013 21:30 UTC
Hi,

I would like to use nginx 1.2.1 with TLS SNI support to proxy SMTP
submission for several different domains over SSL. I would expect that if I
configure multiple servers with different server names that a TLS v1 client
will select the correct one through SNI. However I always get the first
certificate regardless of the hostname specified in ClientHello.

Is there something wrong with my config?

mail {
auth_http 127.0.0.1/auth.php;

smtp_auth login plain;
smtp_capabilities "SIZE 10240000" "VRFY" "ETRN"
"ENHANCEDSTATUSCODES" "8BITMIME" "DSN";

server {
listen 587;
server_name domain1.nl;
protocol smtp;
proxy on;
starttls only;
ssl_certificate /etc/nginx/ssl/domain1.crt;
ssl_certificate_key /etc/nginx/ssl/domain1.key;
}

server {
listen 587;
server_name domain2.com;
protocol smtp;
proxy on;
starttls only;
ssl_certificate /etc/nginx/ssl/domain2.crt;
ssl_certificate_key /etc/nginx/ssl/domain2.key;
}

}

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,237967,237967#msg-237967

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Valentin V. Bartenev
29.03.2013 22:25 UTC
On Saturday 30 March 2013 01:30:21 lblankers wrote:
> Hi,
>
> I would like to use nginx 1.2.1 with TLS SNI support to proxy SMTP
> submission for several different domains over SSL. I would expect that if I
> configure multiple servers with different server names that a TLS v1 client
> will select the correct one through SNI. However I always get the first
> certificate regardless of the hostname specified in ClientHello.
>
> Is there something wrong with my config?
>

The problem is that TLS SNI currently is not supported in mail proxy.

wbr, Valentin V. Bartenev

--
http://nginx.org/en/donation.html

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Phil Pennock
30.03.2013 00:12 UTC
On 2013-03-30 at 02:24 +0400, Valentin V. Bartenev wrote:
> On Saturday 30 March 2013 01:30:21 lblankers wrote:
> > I would like to use nginx 1.2.1 with TLS SNI support to proxy SMTP
> > submission for several different domains over SSL. I would expect that if I
> > configure multiple servers with different server names that a TLS v1 client
> > will select the correct one through SNI. However I always get the first
> > certificate regardless of the hostname specified in ClientHello.
> >
> > Is there something wrong with my config?
> >
>
> The problem is that TLS SNI currently is not supported in mail proxy.

If someone needs TLS SNI with SMTP right now, Exim supports this. It's
not designed to be as scalable as nginx in performance, but it does okay
for most folks' purposes.

(Support added in 4.80, released 2012-05-31; 4.80.1 is current)

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx