Hi,

On 01/24/2017 04:39 PM, Wietse Venema wrote:
> I understand that nginx uses the XCLIENT protocol to send client
> IP address information to Postfix. This is supported in smtpd(8)
> but it not in postscreen(8), because XCLIENT requires SMTP, and
> postscreen(8) normally does not receive SMTP input from clients.

According to

        http://nginx.org/en/docs/mail/ngx_mail_proxy_module.html#xclient

nginx's XCLIENT can be toggled on/off, where

        "If XCLIENT is enabled then nginx passes the following commands when 
connecting to the backend:

            EHLO with the server name
            XCLIENT
            EHLO or HELO, as passed by the client

        If the name found by the client IP address points to the same address, 
it is passed in the NAME parameter of the XCLIENT command. If the name could 
not be found, points to a different address, or resolver is not specified, the 
[UNAVAILABLE] is passed in the NAME parameter. If an error has occurred in the 
process of resolving, the [TEMPUNAVAIL] value is used.

        If XCLIENT is disabled then nginx passes the EHLO command with the 
server name when connecting to the backend if the client has passed EHLO, or 
HELO with the server name, otherwise."

IIUC, == off would work for postscreen.  But then, after PASS by postscreen, 
I'd guess that the handoff to Postfix smtpd would be lacking data.

> Both postscreen(8) and smtpd(8) support HaProxy protocol version 1
> (the HaProxy protocol does not require SMTP, so it does not have
> the limitation that is inherent with the use of XCLIENT).

According to

        Proxy protocol support
        https://trac.nginx.org/nginx/ticket/355#comment:10 

nginx DOES 'support' haproxy protocol v1.

I haven't set up the nging proxy yet to try either use case ...

>> Is there any advantage or disadvantage to putting that LAN-side
>> Postfix instance behind an SMTP proxy, vs keeping it out in front.
>>
> Well, the proxy allows you to pull the plug on a server without
> clients having to connect to multiple IP address to find a working
> server.

Sure, as an advantage.  The way I've it configured now, if I "pull the plug" on 
just the LAN-side postfix server, postfix on the front-end holds for later 
(re)delivery nicely, anyway.

The disadvantage, it appears, is figuring out how to get the nginx proxying 
with haproxy protocol v1 in the first place.

>> And, if I should keep it out front, is there any harm/benefit in
>> having Postfix delivering to the IMAP store through the proxy, vs.
>> directly to it ?
> 
> That may make some sense if you have multiple IMAP servers.

I have just an unsubstantiated gut feel that proxying in front of postfix is 
inviting headache.  I admit I'm waffling.

Proxying the IMAP, CalDAV & CardDAV makes sense -- if only so that nginx can 
handle SSL ClientCert authentication simply for all three.

Postfix' (Any)Cert verification is so seamless anyway, I don't know what it 
buts me.

I'd love to hear from anyone who's acutally doing, or done, this, or something 
similar.  Particularly if it all went smoothly, or there were any specific 
deal-breakers.

Reply via email to