Hello,
I am trying to put haproxy in front of postfix and utilise the proxy protocol
to get accurate client IPs.
This works fine for all unencrypted / starttls based listeners, but not for
tls-wrapped listeners using smtpd_tls_wrappermode.
This is the haproxy configuration:
frontend ft_smtps
bind 0.0.0.0
timeout client 1m
log global
option tcplog
default_backend bk_postfix_smtps
backend bk_postfix_smtps
option smtpchk HELO localhost
log global
option tcplog
timeout server 1m
timeout connect 5s
server mailbackend mail:10464 send-proxy
And this is the postfix master.cf configuration:
10464 inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_upstream_proxy_protocol=haproxy
I am testing this using openssl s_client -connect localhost:465 and expect to
get a 220 message from the postfix, but the connection just hangs until I close
it.
Something goes wrong with establishing the SSL session:
Aug 31 09:52:47 mail postfix-from-user/smtpd[2416]: connect from
a-mua.informatik.tu-muenchen.de[xxx.xxx.42.153]
Aug 31 09:52:49 mail postfix-from-user/smtpd[2416]: SSL_accept error from
mailclient[xxx.xxx.42.153]: lost connection
Aug 31 09:52:49 mail postfix-from-user/smtpd[2416]: lost connection after
CONNECT from mailclient[xxx.xxx.42.153]
Aug 31 09:52:49 mail postfix-from-user/smtpd[2416]: disconnect from
mailclient[xxx.xxx.42.153]
Is this implemented in postfix? If it is, what is the right configuration to
make it work?
