How important is tunneling IMAP and SMTP through nginx?

cliffmccarthy · August 11, 2025, 3:54pm

Delta Chat version

chatmail relay 1.6.0

Details

The nginx.conf created on the chatmail server by the deployment process has a ‘stream’ section that uses ALPN to support tunneling IMAP and SMTP through port 443:

github.com/chatmail/relay

cmdeploy/src/cmdeploy/nginx/nginx.conf.j2

main


      
          
          events {
                  # Increase to avoid errors such as
                  #   768 worker_connections are not enough while connecting to upstream
                  # in the logs.
                  # <https://nginx.org/en/docs/ngx_core_module.html#worker_connections>
          	worker_connections 2048;
          	# multi_accept on;
          }
          
          stream {
                  map $ssl_preread_alpn_protocols $proxy {
                      default 127.0.0.1:8443;
                      ~\bsmtp\b 127.0.0.1:465;
                      ~\bimap\b 127.0.0.1:993;
                  }
          
                  server {
                          listen 443;
                          {% if not disable_ipv6 %}
                          listen [::]:443;

How important is this functionality? Is limiting traffic to port 443 common, or just something that happens on certain private networks?

A side effect of the stream forwarding is that all HTTPS connections to nginx appear to come from 127.0.0.1. Is that intentional, to avoid logging client IP addresses? (The other services log IP addresses when connected to directly, so I don’t imagine nginx logging them would be a problem, but I’m curious to know what the design goals are.)

link2xt · August 11, 2025, 4:18pm

It happens with a lot of free proxies so if user has to use a proxy because their internet connection is restricted, they likely can only connect to port 80 and port 443.