nginx.git/src/mail/ngx_mail_auth_http_module.c, branch release-1.30.0 nginx Mail: fixed clearing s->passwd in auth http requests. 2026-03-24T14:46:36+00:00 Sergey Kandaurov pluknet@nginx.com 2026-03-18T12:39:37+00:00 9bc13718fe8a59a4538805516be7e141070c22d6 Previously, it was not properly cleared retaining length as part of authenticating with CRAM-MD5 and APOP methods that expect to receive password in auth response. This resulted in null pointer dereference and worker process crash in subsequent auth attempts with CRAM-MD5. Reported by Arkadi Vainbrand. 
Previously, it was not properly cleared retaining length as part of
authenticating with CRAM-MD5 and APOP methods that expect to receive
password in auth response.  This resulted in null pointer dereference
and worker process crash in subsequent auth attempts with CRAM-MD5.

Reported by Arkadi Vainbrand.
Mail: reset stale auth credentials with "smtp_auth none;". 2025-08-13T14:20:34+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-07T19:48:44+00:00 9c02c84a7443f3d736a1a5eb3f596de9af8a0c9c They might be reused in a session if an SMTP client proceeded unauthenticated after previous invalid authentication attempts. This could confuse an authentication server when passing stale credentials along with "Auth-Method: none". The condition to send the "Auth-Salt" header is similarly refined. 
They might be reused in a session if an SMTP client proceeded
unauthenticated after previous invalid authentication attempts.
This could confuse an authentication server when passing stale
credentials along with "Auth-Method: none".

The condition to send the "Auth-Salt" header is similarly refined.
Mail: Auth-SSL-Protocol and Auth-SSL-Cipher headers (ticket #2134). 2021-08-13T07:57:47+00:00 Rob Mueller robm@fastmail.fm 2021-08-13T07:57:47+00:00 d4dad02e5ecd523f896a87a08a6582853d83a14d This adds new Auth-SSL-Protocol and Auth-SSL-Cipher headers to the mail proxy auth protocol when SSL is enabled. This can be useful for detecting users using older clients that negotiate old ciphers when you want to upgrade to newer TLS versions of remove suppport for old and insecure ciphers. You can use your auth backend to notify these users before the upgrade that they either need to upgrade their client software or contact your support team to work out an upgrade path. 
This adds new Auth-SSL-Protocol and Auth-SSL-Cipher headers to
the mail proxy auth protocol when SSL is enabled.

This can be useful for detecting users using older clients that
negotiate old ciphers when you want to upgrade to newer
TLS versions of remove suppport for old and insecure ciphers.
You can use your auth backend to notify these users before the
upgrade that they either need to upgrade their client software
or contact your support team to work out an upgrade path.
Mail: fixed build without SSL. 2021-03-11T01:46:26+00:00 Maxim Dounin mdounin@mdounin.ru 2021-03-11T01:46:26+00:00 3bbec30739b17783394e34924ca732b946550323 Broken by d84f13618277 and 12ea1de7d87c (1.19.8). Reported by Sergey Osokin. 
Broken by d84f13618277 and 12ea1de7d87c (1.19.8).

Reported by Sergey Osokin.
Mail: parsing of the PROXY protocol from clients. 2021-03-05T14:16:24+00:00 Maxim Dounin mdounin@mdounin.ru 2021-03-05T14:16:24+00:00 1fce224f01b5a9b503315bd24e99421e5ca5bd7c Activated with the "proxy_protocol" parameter of the "listen" directive. Obtained information is passed to the auth_http script in Proxy-Protocol-Addr, Proxy-Protocol-Port, Proxy-Protocol-Server-Addr, and Proxy-Protocol-Server-Port headers. 
Activated with the "proxy_protocol" parameter of the "listen" directive.
Obtained information is passed to the auth_http script in Proxy-Protocol-Addr,
Proxy-Protocol-Port, Proxy-Protocol-Server-Addr, and Proxy-Protocol-Server-Port
headers.
Mail: made auth http creating request easier to extend. 2021-03-05T14:16:23+00:00 Maxim Dounin mdounin@mdounin.ru 2021-03-05T14:16:23+00:00 72dcd5141b32fccdcd241cc031972f51874ceb41 






Mail: support SASL EXTERNAL (RFC 4422).
2016-10-08T07:05:00+00:00

Rob N ★
robn@fastmail.com

2016-10-08T07:05:00+00:00

66c23edf6308867572d5c4b8341e7a3fe7e97864

This is needed to allow TLS client certificate auth to work. With
ssl_verify_client configured, the auth daemon can choose to allow the
connection to proceed based on the certificate data.

This has been tested with Thunderbird for IMAP only. I've not yet found a
client that will do client certificate auth for POP3 or SMTP, and the method is
not really documented anywhere that I can find. That said, its simple enough
that the way I've done is probably right.





This is needed to allow TLS client certificate auth to work. With
ssl_verify_client configured, the auth daemon can choose to allow the
connection to proceed based on the certificate data.

This has been tested with Thunderbird for IMAP only. I've not yet found a
client that will do client certificate auth for POP3 or SMTP, and the method is
not really documented anywhere that I can find. That said, its simple enough
that the way I've done is probably right.







Fixed build on MSVC.
2016-06-20T12:11:50+00:00

Roman Arutyunyan
arut@nginx.com

2016-06-20T12:11:50+00:00

9810fd06cb3358dbc880ccfcb30a49e693623d0c












Introduced ngx_inet_get_port() and ngx_inet_set_port() functions.
2016-06-20T08:50:39+00:00

Roman Arutyunyan
arut@nginx.com

2016-06-20T08:50:39+00:00

5b201ac31f968d13f1165e7f29967e5826ccb9a1












Fixed logging.
2016-03-30T23:33:57+00:00

Sergey Kandaurov
pluknet@nginx.com

2016-03-30T23:33:57+00:00

00ef9ff5f03ce7e98ba64c3644da25e5a0d659fc