Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On 15/04/2023 23:19, Andrew C Aitchison wrote: On Sat, 15 Apr 2023, Sebastian Arcus via Exim-users wrote: On 15/04/2023 21:20, Evgeniy Berdnikov via Exim-users wrote: On Sat, Apr 15, 2023 at 08:44:08PM +0100, Sebastian Arcus via Exim-users wrote: These are all separate servers belonging to different organisations. They each host their own mail domain and users. This can't be changed. I am not looking to do load balancing. I am looking to share the public IP address and PTR record these servers use for incoming and outgoing smtp connections. This formulation is significantly different from the original one, which was about SNI and all that. This task has no relation to SNI, TLS, etc. With wrong questions you have minimal chances to get relevant answers. You are correct - thinking some more about it, all outside connections would be connecting to the same FQDN. SNI would play no part in it. Sorry for the confusion. It seems that using Exim as a front end relaying to back-end servers seems to be the right solution. I see this front-end machine as a backup MX server. That way the real machines will get the mail most of the time, but if/when the real machine has a new ip address that doesn't match the MX, the front-end machine will receive the mail and pass it on to the corrected IP. That is not such a bad idea actually. One thing I'm not sure about is the SPF checks in Spamassassin. For email coming through the front-end machine, there should be no Spamassassin checks done on the back-end machine, as they would fail the SPF checks. However, when email comes directly to the back-end machines, Spamassasin should be run on the email. Maybe I could have some conditions in the ACL to detect how the email arrived and skip Spamassassin checks on email which came through the front-end machine. BTW, using single public IP/gateway you create a single point of failure for all domains/organizations. That is also very true, and I have considered it. On balancing the advantages and disadvantages of the setup, it will be a risk I will have to accept. Or possibly end up with two of these cloud / front-end servers setup as the 2 MX's for all domains. If the real server and the front-end machine are both in the MX records, provided that you still control the IP addresses, losing either machine wont stop the mail from getting through. That could work as well. I suppose Exim could queue the email if it can't contact the back-end server, until it comes back online. Another good idea - thank you. I don't know what sort of latency there will be between these machines, but you might be able to use cutthrough delivery from the front-end to the real server, which might allow you to reject rather than bounce some of the time; it might even help with your SPF dilemma ? That was my intention - so that the back-end machines can verify if the recipient exists. Are you saying that when using cutthrough delivery, this doesn't add an extra header to the email message - so this way it wouldn't mess up the SPF checks on the back-end machine? (I was assuming that the front-end machine would add another header to the incoming email, which would make it appear to be one of the sending servers - which I then assumed would fail the SPF checks on the back-end machines) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
solution inline
On 2023-04-15 17:05, Sebastian Arcus via Exim-users wrote:
On 15/04/2023 17:00, Fabio Martins wrote:
I believe you are trying to use the same IP address for the 3 exim
instances, otherwise the solution would be quite simple binding each
instance to the proper IP address. Right? Or do you have 3 different
public IP addresses?
That's correct - there is only one IP address on the VPS/proxy - which
needs to serve all the Exim servers behind
Ok, so solution will work.
If you have only 1 public IP, does a solution forwarding to a
subdomain via system_aliases+dsearch+local_parts+cron job updating
user list, would satisfy?
example:
a...@company1.com -> a...@internal.company1.com
e...@company1.com -> e...@internal.company1.com
key...@business2.com -> key...@internal.business2.com
s...@designer3.com -> s...@internal.designer3.com
cont...@designer3.com -> cont...@internal.designer3.com
I can't say that I am really following what you are trying to suggest -
but I don't think having emails on subdomains would help with my
problem
The subdomain trick is just a way to reach the right Exim box.
Cloud Box configuration:
box1 VPN IP: bind it to IP 172.20.10.1
box2 VPN IP: bind it to IP 172.20.10.2
box3 VPN IP: bind it to IP 172.20.10.3
VPN configuration for each client ( adjust IP addresses for your
configuration ):
Box1 will bind to port 25 on VPN IP 172.20.10.1
Box2 will bind to port 25 on VPN IP 172.20.10.2
Box3 will bind to port 25 on VPN IP 172.20.10.3
internal DNS configuration of cloud box ( unbound shall do the trick ):
internal.company1.com MX points to 172.20.10.1
internal.business2.com MX points tp 172.20.10.2
internal.designer3.com MX points to 172.20.10.3
--
Exim configuration of Cloud Box:
# mkdir /etc/exim/domainlistbusiness/
# echo 'adam: a...@internal.company1.com' >>
/etc/exim/domainlistbusiness/company1.com
# echo 'eve: e...@internal.company1.com' >>
/etc/exim/domainlistbusiness/company1.com
# echo 'keyser: key...@internal.business2.com' >>
/etc/exim/domainlistbusiness/business2.com
# echo 'soze: s...@internal.designer3.com' >>
/etc/exim/domainlistbusiness/designer3.com
# echo 'contact: cont...@internal.designer3.com' >>
/etc/exim/domainlistbusiness/designer3.com
# /etc/exim/exim4.conf ( or proper filename in your box ) (only relevant
lines):
domainlist local_domains =
company1.com:business2.com:designer3.com:internal.company1.com:internal.business2.com:internal.designer3.com
system_aliases:
driver = redirect
allow_fail
allow_defer
domains = dsearch,ret=full;//etc/exim/domainlistbusiness
local_parts = lsearch;$domain_data
data = ${lookup{$local_part}lsearch*@{${domain_data}}}
file_transport = address_file
pipe_transport = address_pipe
--
Exim configuration of VPN Exim Box1 from company1.com ( only relevant
lines ):
primary_hostname = company1.com
domainlist local_domains = company1.com:internal.company1.com
( other VPN boxes you can deduct from above )
--
This dirty / quick trick shall work ok, and its not a complicated setup.
--
Cheers.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On Sat, 15 Apr 2023, Sebastian Arcus via Exim-users wrote: On 15/04/2023 21:20, Evgeniy Berdnikov via Exim-users wrote: On Sat, Apr 15, 2023 at 08:44:08PM +0100, Sebastian Arcus via Exim-users wrote: These are all separate servers belonging to different organisations. They each host their own mail domain and users. This can't be changed. I am not looking to do load balancing. I am looking to share the public IP address and PTR record these servers use for incoming and outgoing smtp connections. This formulation is significantly different from the original one, which was about SNI and all that. This task has no relation to SNI, TLS, etc. With wrong questions you have minimal chances to get relevant answers. You are correct - thinking some more about it, all outside connections would be connecting to the same FQDN. SNI would play no part in it. Sorry for the confusion. It seems that using Exim as a front end relaying to back-end servers seems to be the right solution. I see this front-end machine as a backup MX server. That way the real machines will get the mail most of the time, but if/when the real machine has a new ip address that doesn't match the MX, the front-end machine will receive the mail and pass it on to the corrected IP. BTW, using single public IP/gateway you create a single point of failure for all domains/organizations. That is also very true, and I have considered it. On balancing the advantages and disadvantages of the setup, it will be a risk I will have to accept. Or possibly end up with two of these cloud / front-end servers setup as the 2 MX's for all domains. If the real server and the front-end machine are both in the MX records, provided that you still control the IP addresses, losing either machine wont stop the mail from getting through. I don't know what sort of latency there will be between these machines, but you might be able to use cutthrough delivery from the front-end to the real server, which might allow you to reject rather than bounce some of the time; it might even help with your SPF dilemma ? -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On 15/04/2023 21:20, Evgeniy Berdnikov via Exim-users wrote: On Sat, Apr 15, 2023 at 08:44:08PM +0100, Sebastian Arcus via Exim-users wrote: These are all separate servers belonging to different organisations. They each host their own mail domain and users. This can't be changed. I am not looking to do load balancing. I am looking to share the public IP address and PTR record these servers use for incoming and outgoing smtp connections. This formulation is significantly different from the original one, which was about SNI and all that. This task has no relation to SNI, TLS, etc. With wrong questions you have minimal chances to get relevant answers. You are correct - thinking some more about it, all outside connections would be connecting to the same FQDN. SNI would play no part in it. Sorry for the confusion. It seems that using Exim as a front end relaying to back-end servers seems to be the right solution. BTW, using single public IP/gateway you create a single point of failure for all domains/organizations. That is also very true, and I have considered it. On balancing the advantages and disadvantages of the setup, it will be a risk I will have to accept. Or possibly end up with two of these cloud / front-end servers setup as the 2 MX's for all domains. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On 15/04/2023 18:01, Sebastian Arcus via Exim-users wrote: I think I would have to run Spamassassin on the "proxy" Exim, as otherwise the IP address of the proxy will be added to the headers during the delivery/relay process, and will probably break the SPF checks in Spamassassin on the final Exim server in the chain - I think? That would depend on how SA gets it's info, but yes that'd be simplest. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Dynamic certificate paths
I'd like my TLS certificate paths to be dynamic and based on
primary_hostname. They're currently defined as such:
tls_privatekey = /etc/letsencrypt/live/${primary_hostname}/privkey.pem
This works fine *if* primary_hostname is defined with a string literal.
primary_hostname = smtp.mydomain.com
But I need primary_hostname to be dynamic, say read from a file.
primary_hostname = ${readfile{/etc/mailname}{}}
But when configured this way, TLS connections fail because the readfile is
included in the certificate path, so it's not actually a path. TLS
connection failure error messages include:
key=/etc/letsencrypt/live/${readfile{/etc/mailname}}/privkey.pem
Is what I'm trying to achieve possible? Like, is there a way to force
immediate expansion of the ${readfile{/etc/mailname}{}} assignment so
primary_hostname is considered a string literal by the rest of the
configuration?
My environment:
$ exim --version
Exim version 4.95 #2 built 23-Nov-2022 15:53:26
$ exim -be '${primary_hostname}'
${readfile{/etc/mailname}{}}
$ exim -be '${readfile{/etc/mailname}{}}'
smtp.mydomain.com
Thanks!
Lance
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Dynamic certificate paths
On 15/04/2023 19:36, Lance Lovette via Exim-users wrote:
But I need primary_hostname to be dynamic, say read from a file.
primary_hostname = ${readfile{/etc/mailname}{}}
You can't do that; the primary_hostname option does not
expand it's argument.
Could you explain your need further? Why do you want this value
to come from a file? Would it suffice to have that line of configuration
come from a file (if so, look into the .include directive).
--
Cheers,
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
I believe you are trying to use the same IP address for the 3 exim instances, otherwise the solution would be quite simple binding each instance to the proper IP address. Right? Or do you have 3 different public IP addresses? If you have only 1 public IP, does a solution forwarding to a subdomain via system_aliases+dsearch+local_parts+cron job updating user list, would satisfy? example: a...@company1.com -> a...@internal.company1.com e...@company1.com -> e...@internal.company1.com key...@business2.com -> key...@internal.business2.com s...@designer3.com -> s...@internal.designer3.com cont...@designer3.com -> cont...@internal.designer3.com -- On 2023-04-15 11:53, Sebastian Arcus via Exim-users wrote: I have a number of Exim servers behind a NAT gateway (actually connected with vpn's to a cloud vps - but I'm hoping this is not relevant to this post). I would like the gateway to send incoming port 25 traffic to the correct Exim server based on SNI in incoming TLS packets - as different Exim instances serve different email domains. The setup would look like this: [Internet] | | (smtp port 25) | v | [Cloud server] | v | | | | | | | [Exim server 1][Exim server 2][Exim server 3] I would have preferred to do this at IP tables level - but apparently not really possible. It seems the next option would be HAProxy. Has anyone here used HAProxy or run a setup as above, or know if this is actually doable? Any suggestions much appreciated. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On 15/04/2023 13:53, Jeremy Harris via Exim-users wrote: Exim does talk the inbound-proxy protocol tha HAProxy apparently uses (or can use): https://exim.org/exim-html-current/doc/html/spec_html/ch-proxies.html#SECTproxyInbound Thinking further, this (HAProxy with Proxy-protocol as a frontend for an MTA, with the HAProxy routing based on SNI) has additional complications. Because the ESMTP connection has to (for port 25) negotiate TLS using STARTTLS, you're asking that HAProxy run that part of the ESMTP protocol, so that it can see the SNI. It'd have to replay that ESMTP startup down the connection to the backend, as far as the TLS Client Hello - or be a full ESMTP endpoint. I don't know if it's that clever. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On Sat, Apr 15, 2023 at 08:44:08PM +0100, Sebastian Arcus via Exim-users wrote: > These are all separate servers belonging to different organisations. They > each host their own mail domain and users. This can't be changed. I am not > looking to do load balancing. I am looking to share the public IP address > and PTR record these servers use for incoming and outgoing smtp connections. This formulation is significantly different from the original one, which was about SNI and all that. This task has no relation to SNI, TLS, etc. With wrong questions you have minimal chances to get relevant answers. BTW, using single public IP/gateway you create a single point of failure for all domains/organizations. -- Eugene Berdnikov -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On 15/04/2023 18:50, Evgeniy Berdnikov via Exim-users wrote: On Sat, Apr 15, 2023 at 06:03:29PM +0100, Sebastian Arcus wrote: On 15/04/2023 16:46, Evgeniy Berdnikov via Exim-users wrote: My question is: why do you want to use so complicated scheme, while it's very simple task to set up a farm of Exim servers, each operating for several mail domains, with iptables-based balancer in front of them? Would this be possible with different servers covering different email domains? No, all servers should cover all domains pulished through balancer. These are all separate servers belonging to different organisations. They each host their own mail domain and users. This can't be changed. I am not looking to do load balancing. I am looking to share the public IP address and PTR record these servers use for incoming and outgoing smtp connections. However, you can use 2 lines of backend servers: 1st is the farm I described above, 2nd is a line with domain-specific servers. Incoming mails should be forwarded from 1st line to 2nd. It sounds similar to what is suggested by other replies - to use Exim on the gateway vps instead of HAProxy, and relay the email to back-end servers. I think that should cover my needs - that sounds doable. These servers belong to different organisations - hence why each one hosts different domains. It has no impotance if you want to route mails through one frontend. All organisations should agree to share this frontend. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On 15/04/2023 19:09, Andrew C Aitchison wrote: On Sat, 15 Apr 2023, Sebastian Arcus wrote: On 15/04/2023 18:44, Andrew C Aitchison wrote: On Sat, 15 Apr 2023, Sebastian Arcus via Exim-users wrote: I have a number of Exim servers behind a NAT gateway (actually connected with vpn's to a cloud vps - but I'm hoping this is not relevant to this post). I would like the gateway to send incoming port 25 traffic to the correct Exim server based on SNI in incoming TLS packets - as different Exim instances serve different email domains. The setup would look like this: [Internet] | | (smtp port 25) | v | [Cloud server] | v | | | | | | | [Exim server 1] [Exim server 2] [Exim server 3] I would have preferred to do this at IP tables level - but apparently not really possible. It seems the next option would be HAProxy. Has anyone here used HAProxy or run a setup as above, or know if this is actually doable? Any suggestions much appreciated. Since you have different domains, my first thought would just be to assign them different MXes with different IPs ... This is the situation now. But managing a full set of internet connections with fixed IP addresses and reverse dns records is turning into a major drag. Every time the internet connection on one of the boxes has to change provider, it becomes a whole project managing the migration, with downtime while the provider assigns a PTR record to the connection. On occasion it has taken 2 weeks. This is why I would like to have all boxes use one single public IP address and one PTR record through the VPS / cloud server for smtp purposes, with the VPS acting as a SMTP proxy / gateway. Ah. I've only done it with physical local machines, where it was easy to move an ip address from one box to another. I had an ip address for each box and one for each domain, so I could just move the domain ip address to another machine when necessary. No need to change the DNS at all. Not necessarily something you can do with a cloud. Sorry - I tried to keep the original question as simple as possible, hoping that would make it easier to answer. The "back-end" machines are physical machines, on regular ADSL/VDSL/cable/fibre connections at various locations. At the moment they send directly to the internet, which requires a static IP and PTR record. The PTR record needs to be requested from the provider of the internet connection. This process has taken in the past anywhere between 3-14 days - depending on provider and luck finding a member of staff who knows what a PTR record is. It also restricts the choice of internet providers to those who do provide PTR records. Also, if there is a fault with the internet connection and it gets replaced with a temporary (4G/5G) connection, the server effectively can't send and receive emails any more - for days or, worse case scenario, weeks at a time. To solve all of the above issues, I am looking into essentially diverting all the outgoing and incoming smtp traffic of these servers through a single gateway server, which will be a vps/cloud server. Then the flow of emails on smtp will be able to continue uninterrupted, even when changing internet providers at various locations where the back-end servers are, or switching to an emergency/temporary internet connection. I hope the above makes a bit more sense. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On Sat, 15 Apr 2023, Sebastian Arcus wrote: On 15/04/2023 18:44, Andrew C Aitchison wrote: On Sat, 15 Apr 2023, Sebastian Arcus via Exim-users wrote: I have a number of Exim servers behind a NAT gateway (actually connected with vpn's to a cloud vps - but I'm hoping this is not relevant to this post). I would like the gateway to send incoming port 25 traffic to the correct Exim server based on SNI in incoming TLS packets - as different Exim instances serve different email domains. The setup would look like this: [Internet] | | (smtp port 25) | v | [Cloud server] | v | | | | | | | [Exim server 1] [Exim server 2] [Exim server 3] I would have preferred to do this at IP tables level - but apparently not really possible. It seems the next option would be HAProxy. Has anyone here used HAProxy or run a setup as above, or know if this is actually doable? Any suggestions much appreciated. Since you have different domains, my first thought would just be to assign them different MXes with different IPs ... This is the situation now. But managing a full set of internet connections with fixed IP addresses and reverse dns records is turning into a major drag. Every time the internet connection on one of the boxes has to change provider, it becomes a whole project managing the migration, with downtime while the provider assigns a PTR record to the connection. On occasion it has taken 2 weeks. This is why I would like to have all boxes use one single public IP address and one PTR record through the VPS / cloud server for smtp purposes, with the VPS acting as a SMTP proxy / gateway. Ah. I've only done it with physical local machines, where it was easy to move an ip address from one box to another. I had an ip address for each box and one for each domain, so I could just move the domain ip address to another machine when necessary. No need to change the DNS at all. Not necessarily something you can do with a cloud. -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On 15/04/2023 13:53, Jeremy Harris via Exim-users wrote: On 15/04/2023 12:53, Sebastian Arcus via Exim-users wrote: I have a number of Exim servers behind a NAT gateway (actually connected with vpn's to a cloud vps - but I'm hoping this is not relevant to this post). I would like the gateway to send incoming port 25 traffic to the correct Exim server based on SNI in incoming TLS packets - as different Exim instances serve different email domains. The setup would look like this: [Internet] | | (smtp port 25) | v | [Cloud server] | v | | | | | | | [Exim server 1] [Exim server 2] [Exim server 3] I would have preferred to do this at IP tables level - but apparently not really possible. It seems the next option would be HAProxy. Has anyone here used HAProxy or run a setup as above, or know if this is actually doable? Any suggestions much appreciated. Exim does talk the inbound-proxy protocol tha HAProxy apparently uses (or can use): https://exim.org/exim-html-current/doc/html/spec_html/ch-proxies.html#SECTproxyInbound I can't really help on other HAProxy facilities or config though. Another option for you would be to use Exim itself as the fanout element at your "cloud server". It has visibility of the SNI and could use that for routing. Thank you for the suggestions. I have considered using Exim itself as the "proxy" at the front. One thing I have to figure out is SPF in relation to Spamassassin. I think I would have to run Spamassassin on the "proxy" Exim, as otherwise the IP address of the proxy will be added to the headers during the delivery/relay process, and will probably break the SPF checks in Spamassassin on the final Exim server in the chain - I think? Indeed, if the configurations needed for the "Exim server N" elements are sufficiently similar and load & geography permits, you could collapse the lot into a single Exim. I agree with you - except that there are some business / non-technical reasons why this is not possibility in this case. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On 15/04/2023 16:46, Evgeniy Berdnikov via Exim-users wrote: On Sat, Apr 15, 2023 at 12:53:54PM +0100, Sebastian Arcus via Exim-users wrote: I have a number of Exim servers behind a NAT gateway (actually connected with vpn's to a cloud vps - but I'm hoping this is not relevant to this post). I would like the gateway to send incoming port 25 traffic to the correct Exim server based on SNI in incoming TLS packets - as different Exim instances serve different email domains. The setup would look like this: [Internet] | | (smtp port 25) | v | [Cloud server] | v | | | | | | | [Exim server 1][Exim server 2][Exim server 3] I would have preferred to do this at IP tables level - but apparently not really possible. Well, iptables is not good tool for this, because it operates on OSI levels 3+4, while SNI is on the level 5. Iptables should select backend IP on the SYN packet, but SNI comes later. For your conditions problem is even more complex, because port 25 is for plain SMTP, but SNI can be passed after STARTTLS only. So load balancer should start plain SMTP session, do full dialog until client switches to TLS, and check whether client supply SNI during handshake. Note that SNI may be absent, this situation should be also processed carefully. It seems the next option would be HAProxy. Has anyone here used HAProxy or run a setup as above, or know if this is actually doable? Your scheme is theoretically possible, but I doubt it can be easily realized with generally used Haproxy or Nginx. My question is: why do you want to use so complicated scheme, while it's very simple task to set up a farm of Exim servers, each operating for several mail domains, with iptables-based balancer in front of them? Would this be possible with different servers covering different email domains? These servers belong to different organisations - hence why each one hosts different domains. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On 15/04/2023 18:44, Andrew C Aitchison wrote: On Sat, 15 Apr 2023, Sebastian Arcus via Exim-users wrote: I have a number of Exim servers behind a NAT gateway (actually connected with vpn's to a cloud vps - but I'm hoping this is not relevant to this post). I would like the gateway to send incoming port 25 traffic to the correct Exim server based on SNI in incoming TLS packets - as different Exim instances serve different email domains. The setup would look like this: [Internet] | | (smtp port 25) | v | [Cloud server] | v | | | | | | | [Exim server 1] [Exim server 2] [Exim server 3] I would have preferred to do this at IP tables level - but apparently not really possible. It seems the next option would be HAProxy. Has anyone here used HAProxy or run a setup as above, or know if this is actually doable? Any suggestions much appreciated. Will the mail storage be on these machines running exim ? Don't forget about balancing dovecot, or whatever will make the mailboxes available to your users, too. Each box behind the proxy/nat has Exim and Dovecot on it - serving their own domain and users separate from other boxes. Since you have different domains, my first thought would just be to assign them different MXes with different IPs ... This is the situation now. But managing a full set of internet connections with fixed IP addresses and reverse dns records is turning into a major drag. Every time the internet connection on one of the boxes has to change provider, it becomes a whole project managing the migration, with downtime while the provider assigns a PTR record to the connection. On occasion it has taken 2 weeks. This is why I would like to have all boxes use one single public IP address and one PTR record through the VPS / cloud server for smtp purposes, with the VPS acting as a SMTP proxy / gateway. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On Sat, Apr 15, 2023 at 06:03:29PM +0100, Sebastian Arcus wrote: > On 15/04/2023 16:46, Evgeniy Berdnikov via Exim-users wrote: > > My question is: why do you want to use so complicated scheme, while it's > > very simple task to set up a farm of Exim servers, each operating for > > several mail domains, with iptables-based balancer in front of them? > > Would this be possible with different servers covering different email > domains? No, all servers should cover all domains pulished through balancer. However, you can use 2 lines of backend servers: 1st is the farm I described above, 2nd is a line with domain-specific servers. Incoming mails should be forwarded from 1st line to 2nd. > These servers belong to different organisations - hence why each > one hosts different domains. It has no impotance if you want to route mails through one frontend. All organisations should agree to share this frontend. -- Eugene Berdnikov -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On Sat, 15 Apr 2023, Sebastian Arcus via Exim-users wrote: I have a number of Exim servers behind a NAT gateway (actually connected with vpn's to a cloud vps - but I'm hoping this is not relevant to this post). I would like the gateway to send incoming port 25 traffic to the correct Exim server based on SNI in incoming TLS packets - as different Exim instances serve different email domains. The setup would look like this: [Internet] | | (smtp port 25) | v | [Cloud server] | v | | | | | | | [Exim server 1][Exim server 2][Exim server 3] I would have preferred to do this at IP tables level - but apparently not really possible. It seems the next option would be HAProxy. Has anyone here used HAProxy or run a setup as above, or know if this is actually doable? Any suggestions much appreciated. Will the mail storage be on these machines running exim ? Don't forget about balancing dovecot, or whatever will make the mailboxes available to your users, too. Since you have different domains, my first thought would just be to assign them different MXes with different IPs ... -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On 15/04/2023 17:00, Fabio Martins wrote: I believe you are trying to use the same IP address for the 3 exim instances, otherwise the solution would be quite simple binding each instance to the proper IP address. Right? Or do you have 3 different public IP addresses? That's correct - there is only one IP address on the VPS/proxy - which needs to serve all the Exim servers behind If you have only 1 public IP, does a solution forwarding to a subdomain via system_aliases+dsearch+local_parts+cron job updating user list, would satisfy? example: a...@company1.com -> a...@internal.company1.com e...@company1.com -> e...@internal.company1.com key...@business2.com -> key...@internal.business2.com s...@designer3.com -> s...@internal.designer3.com cont...@designer3.com -> cont...@internal.designer3.com I can't say that I am really following what you are trying to suggest - but I don't think having emails on subdomains would help with my problem -- On 2023-04-15 11:53, Sebastian Arcus via Exim-users wrote: I have a number of Exim servers behind a NAT gateway (actually connected with vpn's to a cloud vps - but I'm hoping this is not relevant to this post). I would like the gateway to send incoming port 25 traffic to the correct Exim server based on SNI in incoming TLS packets - as different Exim instances serve different email domains. The setup would look like this: [Internet] | | (smtp port 25) | v | [Cloud server] | v | | | | | | | [Exim server 1] [Exim server 2] [Exim server 3] I would have preferred to do this at IP tables level - but apparently not really possible. It seems the next option would be HAProxy. Has anyone here used HAProxy or run a setup as above, or know if this is actually doable? Any suggestions much appreciated. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On Sat, Apr 15, 2023 at 12:53:54PM +0100, Sebastian Arcus via Exim-users wrote: > I have a number of Exim servers behind a NAT gateway (actually connected > with vpn's to a cloud vps - but I'm hoping this is not relevant to this > post). I would like the gateway to send incoming port 25 traffic to the > correct Exim server based on SNI in incoming TLS packets - as different Exim > instances serve different email domains. The setup would look like this: > > [Internet] > | > | > (smtp port 25) > | > v > | >[Cloud server] > | > v > | > >| | | >| | | > [Exim server 1][Exim server 2][Exim server 3] > > > I would have preferred to do this at IP tables level - but apparently not > really possible. Well, iptables is not good tool for this, because it operates on OSI levels 3+4, while SNI is on the level 5. Iptables should select backend IP on the SYN packet, but SNI comes later. For your conditions problem is even more complex, because port 25 is for plain SMTP, but SNI can be passed after STARTTLS only. So load balancer should start plain SMTP session, do full dialog until client switches to TLS, and check whether client supply SNI during handshake. Note that SNI may be absent, this situation should be also processed carefully. > It seems the next option would be HAProxy. Has anyone here > used HAProxy or run a setup as above, or know if this is actually doable? Your scheme is theoretically possible, but I doubt it can be easily realized with generally used Haproxy or Nginx. My question is: why do you want to use so complicated scheme, while it's very simple task to set up a farm of Exim servers, each operating for several mail domains, with iptables-based balancer in front of them? -- Eugene Berdnikov -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On 15/04/2023 12:53, Sebastian Arcus via Exim-users wrote: I have a number of Exim servers behind a NAT gateway (actually connected with vpn's to a cloud vps - but I'm hoping this is not relevant to this post). I would like the gateway to send incoming port 25 traffic to the correct Exim server based on SNI in incoming TLS packets - as different Exim instances serve different email domains. The setup would look like this: [Internet] | | (smtp port 25) | v | [Cloud server] | v | | | | | | | [Exim server 1] [Exim server 2] [Exim server 3] I would have preferred to do this at IP tables level - but apparently not really possible. It seems the next option would be HAProxy. Has anyone here used HAProxy or run a setup as above, or know if this is actually doable? Any suggestions much appreciated. Exim does talk the inbound-proxy protocol tha HAProxy apparently uses (or can use): https://exim.org/exim-html-current/doc/html/spec_html/ch-proxies.html#SECTproxyInbound I can't really help on other HAProxy facilities or config though. Another option for you would be to use Exim itself as the fanout element at your "cloud server". It has visibility of the SNI and could use that for routing. Indeed, if the configurations needed for the "Exim server N" elements are sufficiently similar and load & geography permits, you could collapse the lot into a single Exim. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Proxy smtp connections to multiple Exim servers behind proxy
I have a number of Exim servers behind a NAT gateway (actually connected with vpn's to a cloud vps - but I'm hoping this is not relevant to this post). I would like the gateway to send incoming port 25 traffic to the correct Exim server based on SNI in incoming TLS packets - as different Exim instances serve different email domains. The setup would look like this: [Internet] | | (smtp port 25) | v | [Cloud server] | v | | | | | | | [Exim server 1][Exim server 2][Exim server 3] I would have preferred to do this at IP tables level - but apparently not really possible. It seems the next option would be HAProxy. Has anyone here used HAProxy or run a setup as above, or know if this is actually doable? Any suggestions much appreciated. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
