> On 28 Jan 2023, at 14:53, Wietse Venema <wie...@porcupine.org> wrote: > > Gerben Wierda: >>> A proper health check verifies that a service actually responds. >> >> True. >> >>> You can find more with "haproxy health check script". For example, >>> Postfix should reply with a "220" status within 5 seconds. >> >> Thanks, I have been looking at how to set this up, but so far no >> luck with the search engines... > > HaProxy appears to have an smtpchk feature. Maybe it has been fixed > to work with postscreen's unusual but legitimate 220- greeting. > > Wietse
With a bit of searching, finding the proxy protocol desscription, I've been able to create this in HAproxy. Example for haproxy-aware postscreen listening on port 991: # Backend: mail.991 (postfix haproxy postscreen pool) backend mail.991 option log-health-checks # health check: port991-health-monitor option tcp-check tcp-check send "PROXY TCP4 192.168.2.2 192.168.2.2 65535 25\r\nQUIT\r\n" tcp-check expect rstring ^220 mode tcp balance roundrobin # tuning options timeout connect 30s timeout check 10s timeout server 30s server foo-991 192.168.2.100:991 check inter 300s port 991 send-proxy server bar-991 192.168.2.101:991 check inter 300s port 991 send-proxy This works for both postscreen and smtpd. But the logging is of course still there: Jan 28 15:20:31 snape submission/smtpd[19492]: connect from router.rna.nl[192.168.2.2] Jan 28 15:20:31 snape submission/smtpd[19492]: disconnect from router.rna.nl[192.168.2.2] commands=0/0 I have to program HAproxy via a GUI (which overwrites the config) , and this does not accept true multiline answer/response. Which means that if I do the above trick with postscreen I probably get PREGREET if the haproxy machine is not already whitelisted. I wonder what happens if there is no whitelist yet. Log now shows for every health check on my haproxy-enabled-postscreen (port 991): Jan 28 16:30:11 albus postfix/postscreen[4830]: CONNECT from [192.168.2.2]:65535 to [192.168.2.2]:25 Jan 28 16:30:11 albus postfix/postscreen[4830]: WHITELISTED [192.168.2.2]:65535 Jan 28 16:30:11 albus smtp/smtpd[4833]: connect from router.rna.nl[192.168.2.2] Jan 28 16:30:12 albus smtp/smtpd[4833]: disconnect from router.rna.nl[192.168.2.2] quit=1 commands=1 and likewise, the haproxy-enabled-submission (port 990) check shows: Jan 28 15:32:43 snape submission/smtpd[19528]: connect from router.rna.nl[192.168.2.2] Jan 28 15:32:43 snape submission/smtpd[19528]: disconnect from router.rna.nl[192.168.2.2] quit=1 commands=1 Hmm. So now I've got decent health checks for postfix (dovecot is next). But still all that unnecessary logging... :-) I'd still like a simple health check for postfix that isn't logged on postfix's end at all. G