Postfix 2.10 introduces support for the PROXY protocol

Hi,

I think this is of interested to a number of people here who use postfix
as their mail gateways/servers.

Wietse has worked with us to see how to implement the proxy protocol in
postscreen and smtpd so that postfix can be transparently load-balanced
by haproxy (or any other product implementing the same protocol). This
is particularly interesting since postscreen is able to block incoming
connections based on their IP address.

If some users here want to give it a try, the code is readily available,
and all the relevant info is provided in Wietse's mail forwarded below.
If you want to report success (or failures), please post them to the
postfix-users list (you need to be subscribed otherwise your mail will
silently be dropped).

In order to test it, you need haproxy-1.5dev and you have to specify
the "send-proxy" directive on the "server" line going to the postfix
server. For instance :

server smtp1 192.168.0.1:25 send-proxy

Warning, if you use "option smtpchk", it will not work anymore since the
server expects a PROXY line first, which the checks don't send for now,
so you need to disable the option.

Please note that this work probably makes postfix the first PROXY to
XCLIENT gateway :-)

Regards,
Willy

----- Forwarded message from Wietse Venema <[email protected]> -----

> Date: Sun, 17 Jun 2012 20:25:12 -0400 (EDT)
> From: wietse@porcupine.org (Wietse Venema)
> Subject: Re: Make smtpd/Postscreen compatible with load balancers
> To: Postfix users <[email protected]>
>
> Non-production release postfix-2.10-20120617-nonprod has support
> for up-stream proxy agents in postscreen(8) and smtpd(8).
>
> To enable, specify one of:
>
> postscreen_upstream_proxy_protocol = haproxy
> smtpd_upstream_proxy_protocol = haproxy
>
> haproxy is not the only proxy agent that works with Postfix. Support
> for nginx with proxied SASL authentication is available in Postfix
> 2.9 smtpd(8). This uses the XCLIENT protocol.
>
> Wietse

----- End forwarded message -----

Hi Willy,

I just tested it and it seems to work:
Postfix logs, depending on the configuration:

No proxy protocol:
Jun 28 06:14:46 sd-33932 postfix/smtpd[25335]: connect from localhost[127.0..0.1]
Jun 28 06:15:07 sd-33932 postfix/smtpd[25335]: disconnect from
localhost[127.0.0.1]

With proxy protocol:
Jun 28 06:17:16 sd-33932 postfix/smtpd[25486]: connect from
xxx.domain.com[<public ip adress>]
Jun 28 06:17:27 sd-33932 postfix/smtpd[25486]: disconnect from
xxx.domain.com[<public ip adress>]


I've not been further yet, but I know some people who will be very
interested and able to go much further, hopefully they'll have some
free time :)


Cheers

On Mon, Jun 18, 2012 at 7:55 AM, Willy Tarreau <[email protected]> wrote:
> Hi,
>
> I think this is of interested to a number of people here who use postfix
> as their mail gateways/servers.
>
> Wietse has worked with us to see how to implement the proxy protocol in
> postscreen and smtpd so that postfix can be transparently load-balanced
> by haproxy (or any other product implementing the same protocol). This
> is particularly interesting since postscreen is able to block incoming
> connections based on their IP address.
>
> If some users here want to give it a try, the code is readily available,
> and all the relevant info is provided in Wietse's mail forwarded below.
> If you want to report success (or failures), please post them to the
> postfix-users list (you need to be subscribed otherwise your mail will
> silently be dropped).
>
> In order to test it, you need haproxy-1.5dev and you have to specify
> the "send-proxy" directive on the "server" line going to the postfix
> server. For instance :
>
>       server smtp1 192.168.0.1:25 send-proxy
>
> Warning, if you use "option smtpchk", it will not work anymore since the
> server expects a PROXY line first, which the checks don't send for now,
> so you need to disable the option.
>
> Please note that this work probably makes postfix the first PROXY to
> XCLIENT gateway :-)
>
> Regards,
> Willy
>
> ----- Forwarded message from Wietse Venema <[email protected]> -----
>
>> Date: Sun, 17 Jun 2012 20:25:12 -0400 (EDT)
>> From: wietse@porcupine.org (Wietse Venema)
>> Subject: Re: Make smtpd/Postscreen compatible with load balancers
>> To: Postfix users <[email protected]>
>>
>> Non-production release postfix-2.10-20120617-nonprod has support
>> for up-stream proxy agents in postscreen(8) and smtpd(8).
>>
>> To enable, specify one of:
>>
>>     postscreen_upstream_proxy_protocol = haproxy
>>     smtpd_upstream_proxy_protocol = haproxy
>>
>> haproxy is not the only proxy agent that works with Postfix. Support
>> for nginx with proxied SASL authentication is available in Postfix
>> 2.9 smtpd(8). This uses the XCLIENT protocol.
>>
>>       Wietse
>
> ----- End forwarded message -----
>
>

Hi Baptiste,

On Thu, Jun 28, 2012 at 06:22:16AM +0200, Baptiste wrote:
> Hi Willy,
>
> I just tested it and it seems to work:
> Postfix logs, depending on the configuration:
>
> No proxy protocol:
> Jun 28 06:14:46 sd-33932 postfix/smtpd[25335]: connect from localhost[127.0.0.1]
> Jun 28 06:15:07 sd-33932 postfix/smtpd[25335]: disconnect from
> localhost[127.0.0.1]
>
> With proxy protocol:
> Jun 28 06:17:16 sd-33932 postfix/smtpd[25486]: connect from
> xxx.domain.com[<public ip adress>]
> Jun 28 06:17:27 sd-33932 postfix/smtpd[25486]: disconnect from
> xxx.domain.com[<public ip adress>]
>
> I've not been further yet, but I know some people who will be very
> interested and able to go much further, hopefully they'll have some
> free time :)

Thank you for this feedback. At first glance, Wietse appears to have done
a very clean work, we just need to ensure that various configurations are
OK, especially when running postscreen in front of smtpd since this is the
configuration which really requires the use of the proxy protocol.

If your friends are able to make more test, please tell them to reply to
Wietse's announce on the postfix ML.

Cheers,
Willy

On Thu, Jun 28, 2012 at 7:28 AM, Willy Tarreau <[email protected]> wrote:
> Hi Baptiste,
>
> On Thu, Jun 28, 2012 at 06:22:16AM +0200, Baptiste wrote:
>> Hi Willy,
>>
>> I just tested it and it seems to work:
>> Postfix logs, depending on the configuration:
>>
>> No proxy protocol:
>> Jun 28 06:14:46 sd-33932 postfix/smtpd[25335]: connect from localhost[127.0.0.1]
>> Jun 28 06:15:07 sd-33932 postfix/smtpd[25335]: disconnect from
>> localhost[127.0.0.1]
>>
>> With proxy protocol:
>> Jun 28 06:17:16 sd-33932 postfix/smtpd[25486]: connect from
>> xxx.domain.com[<public ip adress>]
>> Jun 28 06:17:27 sd-33932 postfix/smtpd[25486]: disconnect from
>> xxx.domain.com[<public ip adress>]
>>
>> I've not been further yet, but I know some people who will be very
>> interested and able to go much further, hopefully they'll have some
>> free time :)
>
> Thank you for this feedback. At first glance, Wietse appears to have done
> a very clean work, we just need to ensure that various configurations are
> OK, especially when running postscreen in front of smtpd since this is the
> configuration which really requires the use of the proxy protocol.
>
> If your friends are able to make more test, please tell them to reply to
> Wietse's announce on the postfix ML.
>
> Cheers,
> Willy
>


Sure :)
I'm writting a blog article about it, I'll include postscreen as well
in my tests so.

cheers

Hi all,

The blog article about it:
http://blog.exceliance.fr/2012/06/30/efficient-smtp-relay-infrastructure-with-postfix-and-load-balancers/

I'll come later with a longer article on spam fighting using HAProxy
and postfix and the proxy protocol :)

Cheers