<?xml version="1.0"?>

<!--
  Copyright (C) 2006, 2007 Anton Yuzhaninov
  Copyright (C) Nginx, Inc.
  -->

<!DOCTYPE module SYSTEM "../../../../dtd/module.dtd">

<module name="Module ngx_mail_auth_http_module"
        link="/en/docs/mail/ngx_mail_auth_http_module.html"
        lang="en"
        rev="1">

<section id="directives" name="Directives">

<directive name="auth_http">
<syntax><value>URL</value></syntax>
<default/>
<context>mail</context>
<context>server</context>

<para>
Sets the URL of the HTTP authentication server.
The protocol is described below.
</para>

</directive>


<directive name="auth_http_header">
<syntax><value>header</value> <value>value</value></syntax>
<default/>
<context>mail</context>
<context>server</context>

<para>
Appends the specified header to requests to the authentication server.
This header can be used as the shared secret to verify
that the request comes from nginx.
For example:
<example>
auth_http_header X-Auth-Key "secret_string";
</example>
</para>

</directive>


<directive name="auth_http_timeout">
<syntax><value>time</value></syntax>
<default>60s</default>
<context>mail</context>
<context>server</context>

<para>
</para>

</directive>

</section>


<section id="protocol" name="Protocol">

<para>
The HTTP is used to communicate with the authentication server.
The data in the response body is ignored, and the information is passed only in
the headers.
</para>

<para>
Examples of requests and responses:
</para>

<para>
Request:
<example>
GET /auth HTTP/1.0
Host: localhost
Auth-Method: plain # plain/apop/cram-md5
Auth-User: user
Auth-Pass: password
Auth-Protocol: imap # imap/pop3/smtp
Auth-Login-Attempt: 1
Client-IP: 192.0.2.42
Client-Host: client.example.org
</example>
Good response:
<example>
HTTP/1.0 200 OK
Auth-Status: OK
Auth-Server: 198.51.100.1
Auth-Port: 143
</example>
Bad response:
<example>
HTTP/1.0 200 OK
Auth-Status: Invalid login or password
Auth-Wait: 3
</example>
</para>

<para>
If there is no <header>Auth-Wait</header> header,
an error will be returned and the connection will be closed.
The current implementation allocates memory for each authentication attempt.
The memory is freed only at the end of a session.
Therefore, the number of invalid authentication attempts in a single session
must be limited — the server must respond without
the <header>Auth-Wait</header> header after 10-20 attempts
(the attempt number is passed in the <header>Auth-Login-Attempt</header>
header).
</para>

<para>
When the APOP or CRAM-MD5 are used, a request-response will look as follows.
<example>
GET /auth HTTP/1.0
Host: localhost
Auth-Method: apop
Auth-User: user
Auth-Salt: &lt;238188073.1163692009@mail.example.com&gt;
Auth-Pass: auth_response
Auth-Protocol: imap
Auth-Login-Attempt: 1
Client-IP: 192.0.2.42
Client-Host: client.example.org
</example>
Good response:
<example>
HTTP/1.0 200 OK
Auth-Status: OK
Auth-Server: 198.51.100.1
Auth-Port: 143
Auth-Pass: plain-text-pass
</example>
</para>

<para>
For the SMTP, the response additionally takes into account
the <header>Auth-Error-Code</header> header — if exists, it is used
as a response code in case of an error.
Otherwise, the 535 5.7.0 code will be added to
the <header>Auth-Status</header>.
</para>

<para>
For example, if the following response is received
from the authentication server:
<example>
HTTP/1.0 200 OK
Auth-Status: Temporary server problem, try again later
Auth-Error-Code: 451 4.3.0
Auth-Wait: 3
</example>
then the SMTP client will receive an error
<example>
451 4.3.0 Temporary server problem, try again later
</example>
</para>

<para>
If proxying SMTP does not require authentication,
a request will look as follows.
<example>
GET /auth HTTP/1.0
Host: localhost
Auth-Method: none
Auth-User:
Auth-Pass:
Auth-Protocol: smtp
Auth-Login-Attempt: 1
Client-IP: 192.0.2.42
Client-Host: client.example.org
Auth-SMTP-Helo: client.example.org
Auth-SMTP-From: MAIL FROM: &lt;&gt;
Auth-SMTP-To: RCPT TO: &lt;postmaster@mail.example.com&gt;
</example>
</para>

</section>

</module>