[
https://issues.apache.org/jira/browse/JAMES-3788?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17568135#comment-17568135
]
Allayna Wilson commented on JAMES-3788:
---------------------------------------
would just merely point out that the PROXY protocol itself is not exclusive to
haproxy and support for it exists in a number of different technologies:
* tor's hiddenserviceexportcircuitid
* traefik supports it
* inspircd supports it
it gets used in a variety of different ways depending. In the case of traefik
it is more or less the same as haproxy (also nginx supports this.) And, it's
particularly useful for proxying the client's ip address without relying on the
protocol itself; so you can essentially use something like traefik to manage
rolling certificates with letsencrypt and act as a proxy frontend to something
like inspircd.
So ideally the way I would want to use it for my purposes is not much different
but then this means that I configure my IMAP and SMTP listeners as plain-text
listeners and allow traefik to listen on 465 or 587 and route the request based
on SNI to the correct backend which will be plaintext smtp (I have not been
able to get TLS back ends working with PROXY for either traefik or haproxy.)
Which is all fine by me, but this causes problems for cases where opportunistic
tls is implemented I suppose because the SMTP server isn't relied on for TLS.
I don't know if clients connecting directly via 465 or 587 rely on any protocol
commands to further attest the already established tls connection, I don't
think there are but STARTTLS came to mind when I thought of reasons why PROXY
might not work for SMTP, IMAP, POP, ManageSieve or any of the other things that
are available in james. Most protocols work fine as long as there's not some
weird attestation of connection security or opportunistic connection
renegotiation going on like STARTTLS.
> Support for HAProxy Proxy Protocol
> ----------------------------------
>
> Key: JAMES-3788
> URL: https://issues.apache.org/jira/browse/JAMES-3788
> Project: James Server
> Issue Type: New Feature
> Components: protocols
> Reporter: ouvtam
> Priority: Minor
>
> As proposed in the gitter channel I would like to add support for HAProxy's
> PROXY protocol
> ([https://www.haproxy.org/download/2.7/doc/proxy-protocol.txt|https://www.haproxy.org/download/2.7/doc/proxy-protocol.txt).]).
> This allows to run James behind HAProxy (i.e. load balancing multiple James
> instances). In order to properly support the proxy protocol James needs to
> parse the provided PROXY arguments from HAProxy (remote ip address, remote
> port etc.) and store it in the SMTPSession for further processing (e.g.
> DNSRBL check, Authorized Networks etc.). Otherwise James uses HAProxy's
> address (e.g. localhost) as remote address.
> For instance, HAProxy sends following line after connecting:
> {code:java}
> "PROXY TCP4 255.255.255.255 255.255.255.255 65535 65535\r\n" {code}
> Netty already provides a codec for HAProxy's protocol
> (io.netty.handler.codec.haproxy), so this can be implemented in the transport
> layer of James.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
