> On 15 Jan 2023, at 17:09, Wietse Venema <wie...@porcupine.org> wrote: > > In that case, use two SMTP services, one that is proxied and one > that is not.
Yes, in the meantime I had gathered that that was the obvious solution (should have realised that earlier). So, I added this in master.cf: smtp inet n - n - 1 postscreen 991 inet n - n - 1 postscreen -o postscreen_upstream_proxy_protocol=haproxy smtpd pass - - n - - smtpd -o syslog_name=smtp submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o syslog_name=submission 990 inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o syslog_name=submission -o smtpd_upstream_proxy_protocol=haproxy This way, I can connect to postscreen on port 25 without proxy and on port 991 via the proxy. HAproxy config snippet: # Backend: mail.rna.nl.991 (postfix haproxy postscreen pool) backend mail.rna.nl.991 option log-health-checks # health check: port991-health-monitor mode tcp balance roundrobin # tuning options timeout connect 5s timeout check 5s timeout server 5s server snape-991 192.168.2.125:991 check inter 30s port 991 send-proxy The only minor thing left is that postscreen keeps logging the health check attempts as such: Jan 15 17:20:09 snape postfix/postscreen[277]: warning: haproxy read: EOF Is there something I can do about that? G