Hi,
we use HAPROXY for incoming mail, outgoing mail (authenticated), POP3, IMAP.
With incoming mail, I can make use of HAProxy’s send-proxy feature to make the
source-IP known to the backend SMTP-servers.
(Works in the lab, I just need to move a few hundred customers off port 25 for
authenticated SMTP, as send-proxy is incompatible with authentication (right?))
But what about authenticated SMTP connections (which go on Port 587 or 465)?.
We get a fair amount of abuse from hijacked accounts.
I need to know the original IP from these connections, too, so I can quickly
see if it connects from China, Pakistan or whatever (our customers are 99.99%
only connecting from domestic fix and dynamic IPs and authenticated connections
from multiple IPs from multiple countries to the same account are 100%
hijacked).
Same in principle for POP3 and IMAP.
Is there no other way other than running TPROXY mode (which I want to avoid and
is AFAIK also not recommended)?
I have about 15k individual users.
As traffic is going to be almost 100% encrypted in the near future, I can't
even run something like SNORT on the LB and just process the logs from that….
Have the patches from this thread:
http://marc.info/?t=13662203193r=1w=2
been incoporated into the HAproxy 1.5 source tree since then?