Can Nginx be an mail proxy for a backend server that does not accept cleartext logins?
Preferably I'd like to know what directive to include so that it will invoke STARTTLS/STLS, but communication via IMAPS or POP3S is sufficient.
relevant(?) section of nginx.conf
mail {
auth_http localhost:80/mailproxy/auth.php;
proxy on;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 SSLv3;
ssl_ciphers HIGH:!ADH:!MD5:@STRENGTH;
ssl_session_cache shared:TLSSL:16m;
ssl_session_timeout 10m;
ssl_certificate /etc/ssl/private/hostname.crt;
ssl_certificate_key /etc/ssl/private/hostname.key;
imap_capabilities "IMAP4rev1" "UIDPLUS";
server {
protocol imap;
listen 143;
starttls on;
}
server {
protocol imap;
listen 993;
ssl on;
}
pop3_capabilities "TOP" "USER";
server {
protocol pop3;
listen 110;
starttls on;
pop3_auth plain;
}
server {
protocol pop3;
listen 995;
ssl on;
pop3_auth plain;
}
}
You can just use the
stunnelservice in client mode to listen for unencrypted traffic at localhost and then pass it on to the SSL backend.Example configuration:
Then point
nginxtolocalhost:1110as backend and it will in fact connect to GMail's POP3 server over SSL.Someone has been working on a branch which implements SSL backend support, I believe it is still experimental and is built against 1.0.11 but it should be at least one to watch: https://github.com/druga/unuzbl/tree/master/nginx-temp
Not really an answer to your question but it may help future readers like me.
Perdition is another mail proxy that is able to handle both plain-text and SSL/TLS encrypted connections.
A quick presentation of both nginx and perdition: http://fr.slideshare.net/jpmens/the-perdition-and-nginx-imap-proxies
Could this link be of any help:
I think it answers a few of your questions: http://wiki.nginx.org/MailSslModule