Hi, On 01/24/2017 04:39 PM, Wietse Venema wrote: > I understand that nginx uses the XCLIENT protocol to send client > IP address information to Postfix. This is supported in smtpd(8) > but it not in postscreen(8), because XCLIENT requires SMTP, and > postscreen(8) normally does not receive SMTP input from clients.
According to http://nginx.org/en/docs/mail/ngx_mail_proxy_module.html#xclient nginx's XCLIENT can be toggled on/off, where "If XCLIENT is enabled then nginx passes the following commands when connecting to the backend: EHLO with the server name XCLIENT EHLO or HELO, as passed by the client If the name found by the client IP address points to the same address, it is passed in the NAME parameter of the XCLIENT command. If the name could not be found, points to a different address, or resolver is not specified, the [UNAVAILABLE] is passed in the NAME parameter. If an error has occurred in the process of resolving, the [TEMPUNAVAIL] value is used. If XCLIENT is disabled then nginx passes the EHLO command with the server name when connecting to the backend if the client has passed EHLO, or HELO with the server name, otherwise." IIUC, == off would work for postscreen. But then, after PASS by postscreen, I'd guess that the handoff to Postfix smtpd would be lacking data. > Both postscreen(8) and smtpd(8) support HaProxy protocol version 1 > (the HaProxy protocol does not require SMTP, so it does not have > the limitation that is inherent with the use of XCLIENT). According to Proxy protocol support https://trac.nginx.org/nginx/ticket/355#comment:10 nginx DOES 'support' haproxy protocol v1. I haven't set up the nging proxy yet to try either use case ... >> Is there any advantage or disadvantage to putting that LAN-side >> Postfix instance behind an SMTP proxy, vs keeping it out in front. >> > Well, the proxy allows you to pull the plug on a server without > clients having to connect to multiple IP address to find a working > server. Sure, as an advantage. The way I've it configured now, if I "pull the plug" on just the LAN-side postfix server, postfix on the front-end holds for later (re)delivery nicely, anyway. The disadvantage, it appears, is figuring out how to get the nginx proxying with haproxy protocol v1 in the first place. >> And, if I should keep it out front, is there any harm/benefit in >> having Postfix delivering to the IMAP store through the proxy, vs. >> directly to it ? > > That may make some sense if you have multiple IMAP servers. I have just an unsubstantiated gut feel that proxying in front of postfix is inviting headache. I admit I'm waffling. Proxying the IMAP, CalDAV & CardDAV makes sense -- if only so that nginx can handle SSL ClientCert authentication simply for all three. Postfix' (Any)Cert verification is so seamless anyway, I don't know what it buts me. I'd love to hear from anyone who's acutally doing, or done, this, or something similar. Particularly if it all went smoothly, or there were any specific deal-breakers.