1 (edited by legendsxxxhunter 2024-07-08 19:30:11)

Topic: SMTP Port 25 Issue on Nginx Mail Proxy

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.8
- Deployed with iRedMail Easy or the downloadable installer? Downloadable Installer
- Linux/BSD distribution name and version: Ubuntu 20.04 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): NginX
- Manage mail accounts with iRedAdmin-Pro? No
====

I set up an Nginx mail proxy server and configured it to distribute to several mail servers as a front-end server. However, I need to open port 25 in the configuration; otherwise, I cannot receive mail. When I open port 25, I have to enable the smtp_auth plain login feature; otherwise, if someone knows my email address, they can send mail without a password.

When I enable the smtp_auth feature, I can't receive emails when someone sends an email to my address from outside.

For example, when I try to send an email from Gmail to my server, the message returned by Gmail mail delivery is as follows:

The remote server's response was:
530 5.7.1 Authentication required

How can I resolve this issue?

/etc/nginx/nginx.conf (mail {} partition)

mail {

server_name mail.proxyserver.com;
auth_http localhost/auth/auth.php;
pop3_capabilities "TOP" "USER" "UIDL" "PIPELINING" "SASL";
imap_capabilities "IMAP4rev1" "UIDPLUS" "IDLE" "LITERAL+" "QUOTA";
smtp_capabilities "SIZE 53477376" "8BITMIME" "ENHANCEDSTATUSCODES" "PIPELINING" "DSN";

proxy on;
proxy_pass_error_message on;
proxy_timeout 300s;

starttls                   on;
ssl_protocols              TLSv1.2 TLSv1.3;
ssl_ciphers                HIGH:!ADH:!MD5:@STRENGTH;
ssl_session_cache          shared:TLSSL:16m;
ssl_session_timeout        10m;
ssl_certificate            /etc/letsencrypt/live/mail.proxyserver.com/fullchain.pem;
ssl_certificate_key        /etc/letsencrypt/live/mail.proxyserver.com/privkey.pem;
ssl_dhparam        /etc/ssl/certs/dhparam.pem;

    server {
        listen     25;
        listen     [::]:25;
        protocol   smtp;
        starttls   only;
        smtp_auth  none; # my problem
        xclient    off;
    }

    server {
        listen     465 ssl;
        listen     [::]:465 ssl;
        protocol   smtp;
    }

    server {
        listen     587;
        listen     [::]:587;
        protocol   smtp;
        starttls   only;
    }

    server {
        listen     110;
        listen     [::]:110;
        protocol   pop3;
        starttls   only;
    }

    server {
        listen     995 ssl;
        listen     [::]:995 ssl;
        protocol   pop3;
    }

    server {
        listen     143;
        listen     [::]:143;
        protocol   imap;
        starttls   only;
    }

    server {
        listen     993 ssl;
        listen     [::]:993 ssl;
        protocol   imap;
    }
}

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: SMTP Port 25 Issue on Nginx Mail Proxy

your configuration more looks like an open relay without any authentification at all, and i don't see how this is related to iredmail, since this question only relates to nginx and a 3rd party integration you did on your own

iredmail doesn't allow auth on port 25 at all, it is only used for incoming mail like it is by default for every server

what do you want to archive with your setup?

3

Re: SMTP Port 25 Issue on Nginx Mail Proxy

Cthulhu wrote:

your configuration more looks like an open relay without any authentification at all, and i don't see how this is related to iredmail, since this question only relates to nginx and a 3rd party integration you did on your own

iredmail doesn't allow auth on port 25 at all, it is only used for incoming mail like it is by default for every server

what do you want to archive with your setup?

I wanted to write on the iRedMail forum because I believe there might be people who have experience with this topic.

What I want is to be able to reach all my mail servers through a single MX address.

Let the MX address be -> mail.xxx.com.

Let’s have 3 mail servers. A -> mailserver1.xxx.com, B -> mailserver2.xxx.com, C -> mailserver3.com.

iRedMail will be installed on the mail servers. The clients and domains within the mail servers will be different. A client or domain on server A will not be on server B.

In this case, there is a need for an authentication server. I tried to do this through mail.xxx.com using an NGINX proxy. I configured the SASL settings on Postfix and Dovecot and used the above-mentioned NGINX configuration to determine which domain belongs to which server via auth.php and then redirected to that server. I did this using on the Auth-Server and Auth-Port.

However, I have to open port 25 on NGINX, i.e., on the mail.xxx.com server; otherwise, incoming mails do not reach. But when I open it, I need to set smtp_auth to none, otherwise, incoming mails get stuck in authentication.

Now you understand my goal, I want to make all my servers addressable from a single address. Is there a more secure and easier way to do this? Or is it reasonable to set up an authentication server using NGINX?

If it is reasonable, when I open port 25 on NGINX, smtp_auth needs to be turned off. When I turn it off, both outbound and inbound processes can be performed. I want to prevent this, so that only mail can be received, not sent.

Actually, a logical solution comes to my mind for this. Let me share it with you to see if you think my solution makes sense.

I can secure port 25 for receiving mails only in the following way. I can get the RCPT mail information where the mail will reach via $_SERVER["HTTP_AUTH_SMTP_TO"] in auth.php.
If the domain here matches one of the domains on my servers, I allow the transition; if it does not match, I do not. And I perform this action only for port 25. We can also check from which port the transaction is being made with auth_http_header PORT 25;. This way, only incoming mails are allowed on port 25. This seems secure to me. But do you think this configuration is reasonable? Is there a more secure and easier way? I am asking everyone who has knowledge on this topic.

I wrote in detail on purpose. So that nothing confuses you. I want people who research these topics like me in the future to see and understand the process. That's why I’m writing by explaining in detail.

Thanks in advance to everyone who will help.

4

Re: SMTP Port 25 Issue on Nginx Mail Proxy

Port 25 should be used to receive emails, and sending should go through port 465 or 587 instead.
So no smtp auth should be enabled for port 25.