Adding a haproxy-to-postscreen adapter turns out to be pretty
trivial. However, a major code rewrite would be needed in the way
that postscreen(8) talks to smtpd(8).
Begin background:
Postscreen is optimized for the following case: a client connects,
postscreen looks up the client IP address in its temporary cache,
and when the client is "OK", postscreen sends the connection's file
descriptor to a Postfix SMTP server process and gets out of the loop.
There is no other communication between postscreen and SMTP server
processes. The file descriptor carries all information that an SMTP
server process needs. In fact, the file descriptor is indistinguishable
from a file descriptor that an SMTP server gets when it is configured
in master.cf to listen directly on the SMTP port.
End background.
To make postscreen work with before-postscreen proxies, it either
has to become a proxy itself (over my dead body) or Postfix needs
a small protocol to send (attributes plus a file descriptor) from
postscreen to smtpd.
It's relatively simple to pass a few attributes from haproxy to
postscreen with a simple hard-coded non-reusable protocol. On the
other hand, Postfix support for (file descriptor + arbitrary attribute
passing) will have to be reusable (*), so that the same infrastructure
can be used later to improve Postfix. For example, to hand off a
connection mid-session from postscreen to smtpd, something that is
currently not possible.
Wietse
(*) The client decides what attributes to send and passes the
attributes + file descriptor to the low-level sender infrastructure;
the low-level receiver infrastructure first reads the attributes
into a hash and then passes the attributes and file descriptor up
to the application, in an application-specified order, and deals
with missing attributes and other problems.
