Loading ...
Sorry, an error occurred while loading the content.

Postfix 2.10 / haproxy 1.5-dev17 / proxy protocol

Expand Messages
  • Laurent CARON
    Hi, I m currently upgrading from postfix 2.9 to 2.10 with haproxy 1.5-dev17 ... frontend ft_smtps bind :465 mode tcp default_backend bk_smtps frontend
    Message 1 of 3 , Mar 6, 2013
    • 0 Attachment
      Hi,

      I'm currently upgrading from postfix 2.9 to 2.10 with haproxy 1.5-dev17

      So far, everythink works fine with:
      :/etc/haproxy/haproxy.cfg:

      frontend ft_smtps
      bind :465
      mode tcp
      default_backend bk_smtps

      frontend ft_submission
      bind :587
      mode tcp
      default_backend bk_submission

      backend bk_smtps
      mode tcp
      balance source
      stick store-request src
      stick-table type ip size 200k
      server smtps_mailout-vty-001 192.168.100.16:1465 weight 200 check
      server smtps_mailout-vty-002 192.168.100.17:1465 weight 200 check

      backend bk_submission
      mode tcp
      balance source
      stick store-request src
      stick-table type ip size 200k
      server submission_mailout-vty-001 192.168.100.16:1587 send-proxy
      weight 200 check
      server submission_mailout-vty-002 192.168.100.17:1587 send-proxy
      weight 200 check

      So far, everything works as expected between haproxy and postfix as long
      as I use the submission port.

      When using the SSMTP port *and* send-proxy it fails.

      The workaround so far has then be to:
      :main.cf:
      - remove smtpd_upstream_proxy_protocol=haproxy
      - remove smtpd_upstream_proxy_timeout=5s
      :master.cf:
      - add -o smtpd_upstream_proxy_protocol=haproxy
      - add -o smtpd_upstream_proxy_timeout=5s

      leading to the use og the proxy protocol only for submission but not for
      SMTPS.

      Did I miss something obvious ?

      Thanks

      Laurent
    • Wietse Venema
      ... Yes. Unlike (port 25) smtp and (port 587) submission, the obsolete and deprecated ssmtp service has no plain-text phase before the TLS handshake. This
      Message 2 of 3 , Mar 6, 2013
      • 0 Attachment
        Laurent CARON:
        > When using the SSMTP port *and* send-proxy it fails.
        ...
        > Did I miss something obvious ?

        Yes. Unlike (port 25) smtp and (port 587) submission, the obsolete
        and deprecated ssmtp service has no plain-text phase before the TLS
        handshake.

        This means that an obsolete and deprecated ssmtp server does not
        send or receive any network data before the TLS handshake completes.

        Considering that ssmtp was already obsolete and deprecated 10 years
        ago when TLS was added to Postfix, I see no urgency to add new code
        for it.

        Wietse
      • Laurent CARON
        ... Makes perfect sense. Thanks Wietse for the explanation.
        Message 3 of 3 , Mar 7, 2013
        • 0 Attachment
          On 06/03/2013 16:29, Wietse Venema wrote:
          > Laurent CARON:
          >> When using the SSMTP port *and* send-proxy it fails.
          > ...
          >> Did I miss something obvious ?
          >
          > Yes. Unlike (port 25) smtp and (port 587) submission, the obsolete
          > and deprecated ssmtp service has no plain-text phase before the TLS
          > handshake.
          >
          > This means that an obsolete and deprecated ssmtp server does not
          > send or receive any network data before the TLS handshake completes.
          >
          > Considering that ssmtp was already obsolete and deprecated 10 years
          > ago when TLS was added to Postfix, I see no urgency to add new code
          > for it.
          >
          > Wietse
          >

          Makes perfect sense.

          Thanks Wietse for the explanation.
        Your message has been successfully submitted and would be delivered to recipients shortly.