Re: Postfix 2.10 introduces support for the PROXY protocol
Hi all, The blog article about it: http://blog.exceliance.fr/2012/06/30/efficient-smtp-relay-infrastructure-with-postfix-and-load-balancers/ I'll come later with a longer article on spam fighting using HAProxy and postfix and the proxy protocol :) Cheers
Re: Postfix 2.10 introduces support for the PROXY protocol
Hi Willy, I just tested it and it seems to work: Postfix logs, depending on the configuration: No proxy protocol: Jun 28 06:14:46 sd-33932 postfix/smtpd[25335]: connect from localhost[127.0.0.1] Jun 28 06:15:07 sd-33932 postfix/smtpd[25335]: disconnect from localhost[127.0.0.1] With proxy protocol: Jun 28 06:17:16 sd-33932 postfix/smtpd[25486]: connect from xxx.domain.com[public ip adress] Jun 28 06:17:27 sd-33932 postfix/smtpd[25486]: disconnect from xxx.domain.com[public ip adress] I've not been further yet, but I know some people who will be very interested and able to go much further, hopefully they'll have some free time :) Cheers On Mon, Jun 18, 2012 at 7:55 AM, Willy Tarreau w...@1wt.eu wrote: Hi, I think this is of interested to a number of people here who use postfix as their mail gateways/servers. Wietse has worked with us to see how to implement the proxy protocol in postscreen and smtpd so that postfix can be transparently load-balanced by haproxy (or any other product implementing the same protocol). This is particularly interesting since postscreen is able to block incoming connections based on their IP address. If some users here want to give it a try, the code is readily available, and all the relevant info is provided in Wietse's mail forwarded below. If you want to report success (or failures), please post them to the postfix-users list (you need to be subscribed otherwise your mail will silently be dropped). In order to test it, you need haproxy-1.5dev and you have to specify the send-proxy directive on the server line going to the postfix server. For instance : server smtp1 192.168.0.1:25 send-proxy Warning, if you use option smtpchk, it will not work anymore since the server expects a PROXY line first, which the checks don't send for now, so you need to disable the option. Please note that this work probably makes postfix the first PROXY to XCLIENT gateway :-) Regards, Willy - Forwarded message from Wietse Venema wie...@porcupine.org - Date: Sun, 17 Jun 2012 20:25:12 -0400 (EDT) From: wie...@porcupine.org (Wietse Venema) Subject: Re: Make smtpd/Postscreen compatible with load balancers To: Postfix users postfix-us...@postfix.org Non-production release postfix-2.10-20120617-nonprod has support for up-stream proxy agents in postscreen(8) and smtpd(8). To enable, specify one of: postscreen_upstream_proxy_protocol = haproxy smtpd_upstream_proxy_protocol = haproxy haproxy is not the only proxy agent that works with Postfix. Support for nginx with proxied SASL authentication is available in Postfix 2.9 smtpd(8). This uses the XCLIENT protocol. Wietse - End forwarded message -
Re: Postfix 2.10 introduces support for the PROXY protocol
Hi Baptiste, On Thu, Jun 28, 2012 at 06:22:16AM +0200, Baptiste wrote: Hi Willy, I just tested it and it seems to work: Postfix logs, depending on the configuration: No proxy protocol: Jun 28 06:14:46 sd-33932 postfix/smtpd[25335]: connect from localhost[127.0.0.1] Jun 28 06:15:07 sd-33932 postfix/smtpd[25335]: disconnect from localhost[127.0.0.1] With proxy protocol: Jun 28 06:17:16 sd-33932 postfix/smtpd[25486]: connect from xxx.domain.com[public ip adress] Jun 28 06:17:27 sd-33932 postfix/smtpd[25486]: disconnect from xxx.domain.com[public ip adress] I've not been further yet, but I know some people who will be very interested and able to go much further, hopefully they'll have some free time :) Thank you for this feedback. At first glance, Wietse appears to have done a very clean work, we just need to ensure that various configurations are OK, especially when running postscreen in front of smtpd since this is the configuration which really requires the use of the proxy protocol. If your friends are able to make more test, please tell them to reply to Wietse's announce on the postfix ML. Cheers, Willy
Re: Postfix 2.10 introduces support for the PROXY protocol
On Thu, Jun 28, 2012 at 7:28 AM, Willy Tarreau w...@1wt.eu wrote: Hi Baptiste, On Thu, Jun 28, 2012 at 06:22:16AM +0200, Baptiste wrote: Hi Willy, I just tested it and it seems to work: Postfix logs, depending on the configuration: No proxy protocol: Jun 28 06:14:46 sd-33932 postfix/smtpd[25335]: connect from localhost[127.0.0.1] Jun 28 06:15:07 sd-33932 postfix/smtpd[25335]: disconnect from localhost[127.0.0.1] With proxy protocol: Jun 28 06:17:16 sd-33932 postfix/smtpd[25486]: connect from xxx.domain.com[public ip adress] Jun 28 06:17:27 sd-33932 postfix/smtpd[25486]: disconnect from xxx.domain.com[public ip adress] I've not been further yet, but I know some people who will be very interested and able to go much further, hopefully they'll have some free time :) Thank you for this feedback. At first glance, Wietse appears to have done a very clean work, we just need to ensure that various configurations are OK, especially when running postscreen in front of smtpd since this is the configuration which really requires the use of the proxy protocol. If your friends are able to make more test, please tell them to reply to Wietse's announce on the postfix ML. Cheers, Willy Sure :) I'm writting a blog article about it, I'll include postscreen as well in my tests so. cheers
