eval:
> I have Postfix/postscreen 3.1.4 + AV/AS/etc. running on a hosted
> VM.
>
> It acts as a front-end, delivering to another postfix instance
> that's on my LAN; the comm's over a VPN link.
>
> The local postfix instance delivers via LMTP to an IMAP store,
> currently on the same box. It also provides port 587 submission,
> and forwards out, over the VPN link, through the front-end instance,
> on out to the net.
>
> It all works well.
>
> I'm planning on adding CalDAV & CardDAV services to the setup.
> For simpler ClientCert access control, and eventual scale up, I'll
> put the IMAP, CalDAV & CardDAV service behind an NGINX proxy.
>
> NGINX can also serve as an SMTP proxy. I.e., I could in theory
> put the LAN-size Postfix instance behind the proxy as well.
I understand that nginx uses the XCLIENT protocol to send client
IP address information to Postfix. This is supported in smtpd(8)
but it not in postscreen(8), because XCLIENT requires SMTP, and
postscreen(8) normally does not receive SMTP input from clients.
Both postscreen(8) and smtpd(8) support HaProxy protocol version 1
(the HaProxy protocol does not require SMTP, so it does not have
the limitation that is inherent with the use of XCLIENT).
> My questions are:
>
> Is there any advantage or disadvantage to putting that LAN-side
> Postfix instance behind an SMTP proxy, vs keeping it out in front.
>
Well, the proxy allows you to pull the plug on a server without
clients having to connect to multiple IP address to find a working
server.
> And, if I should keep it out front, is there any harm/benefit in
> having Postfix delivering to the IMAP store through the proxy, vs.
> directly to it ?
That may make some sense if you have multiple IMAP servers.
Wietse
