> On 28 Jan 2023, at 14:53, Wietse Venema <wie...@porcupine.org> wrote:
>
> Gerben Wierda:
>>> A proper health check verifies that a service actually responds.
>>
>> True.
>>
>>> You can find more with "haproxy health check script". For example,
>>> Postfix should reply with a "220" status within 5 seconds.
>>
>> Thanks, I have been looking at how to set this up, but so far no
>> luck with the search engines...
>
> HaProxy appears to have an smtpchk feature. Maybe it has been fixed
> to work with postscreen's unusual but legitimate 220- greeting.
>
> Wietse
With a bit of searching, finding the proxy protocol desscription, I've been
able to create this in HAproxy. Example for haproxy-aware postscreen listening
on port 991:
# Backend: mail.991 (postfix haproxy postscreen pool)
backend mail.991
option log-health-checks
# health check: port991-health-monitor
option tcp-check
tcp-check send "PROXY TCP4 192.168.2.2 192.168.2.2 65535 25\r\nQUIT\r\n"
tcp-check expect rstring ^220
mode tcp
balance roundrobin
# tuning options
timeout connect 30s
timeout check 10s
timeout server 30s
server foo-991 192.168.2.100:991 check inter 300s port 991 send-proxy
server bar-991 192.168.2.101:991 check inter 300s port 991 send-proxy
This works for both postscreen and smtpd.
But the logging is of course still there:
Jan 28 15:20:31 snape submission/smtpd[19492]: connect from
router.rna.nl[192.168.2.2]
Jan 28 15:20:31 snape submission/smtpd[19492]: disconnect from
router.rna.nl[192.168.2.2] commands=0/0
I have to program HAproxy via a GUI (which overwrites the config) , and this
does not accept true multiline answer/response. Which means that if I do the
above trick with postscreen I probably get PREGREET if the haproxy machine is
not already whitelisted. I wonder what happens if there is no whitelist yet.
Log now shows for every health check on my haproxy-enabled-postscreen (port
991):
Jan 28 16:30:11 albus postfix/postscreen[4830]: CONNECT from
[192.168.2.2]:65535 to [192.168.2.2]:25
Jan 28 16:30:11 albus postfix/postscreen[4830]: WHITELISTED [192.168.2.2]:65535
Jan 28 16:30:11 albus smtp/smtpd[4833]: connect from router.rna.nl[192.168.2.2]
Jan 28 16:30:12 albus smtp/smtpd[4833]: disconnect from
router.rna.nl[192.168.2.2] quit=1 commands=1
and likewise, the haproxy-enabled-submission (port 990) check shows:
Jan 28 15:32:43 snape submission/smtpd[19528]: connect from
router.rna.nl[192.168.2.2]
Jan 28 15:32:43 snape submission/smtpd[19528]: disconnect from
router.rna.nl[192.168.2.2] quit=1 commands=1
Hmm. So now I've got decent health checks for postfix (dovecot is next). But
still all that unnecessary logging... :-)
I'd still like a simple health check for postfix that isn't logged on postfix's
end at all.
G
