Hi,
On 01/24/2017 04:39 PM, Wietse Venema wrote:
> I understand that nginx uses the XCLIENT protocol to send client
> IP address information to Postfix. This is supported in smtpd(8)
> but it not in postscreen(8), because XCLIENT requires SMTP, and
> postscreen(8) normally does not receive SMTP input from clients.
According to
http://nginx.org/en/docs/mail/ngx_mail_proxy_module.html#xclient
nginx's XCLIENT can be toggled on/off, where
"If XCLIENT is enabled then nginx passes the following commands when
connecting to the backend:
EHLO with the server name
XCLIENT
EHLO or HELO, as passed by the client
If the name found by the client IP address points to the same address,
it is passed in the NAME parameter of the XCLIENT command. If the name could
not be found, points to a different address, or resolver is not specified, the
[UNAVAILABLE] is passed in the NAME parameter. If an error has occurred in the
process of resolving, the [TEMPUNAVAIL] value is used.
If XCLIENT is disabled then nginx passes the EHLO command with the
server name when connecting to the backend if the client has passed EHLO, or
HELO with the server name, otherwise."
IIUC, == off would work for postscreen. But then, after PASS by postscreen,
I'd guess that the handoff to Postfix smtpd would be lacking data.
> Both postscreen(8) and smtpd(8) support HaProxy protocol version 1
> (the HaProxy protocol does not require SMTP, so it does not have
> the limitation that is inherent with the use of XCLIENT).
According to
Proxy protocol support
https://trac.nginx.org/nginx/ticket/355#comment:10
nginx DOES 'support' haproxy protocol v1.
I haven't set up the nging proxy yet to try either use case ...
>> Is there any advantage or disadvantage to putting that LAN-side
>> Postfix instance behind an SMTP proxy, vs keeping it out in front.
>>
> Well, the proxy allows you to pull the plug on a server without
> clients having to connect to multiple IP address to find a working
> server.
Sure, as an advantage. The way I've it configured now, if I "pull the plug" on
just the LAN-side postfix server, postfix on the front-end holds for later
(re)delivery nicely, anyway.
The disadvantage, it appears, is figuring out how to get the nginx proxying
with haproxy protocol v1 in the first place.
>> And, if I should keep it out front, is there any harm/benefit in
>> having Postfix delivering to the IMAP store through the proxy, vs.
>> directly to it ?
>
> That may make some sense if you have multiple IMAP servers.
I have just an unsubstantiated gut feel that proxying in front of postfix is
inviting headache. I admit I'm waffling.
Proxying the IMAP, CalDAV & CardDAV makes sense -- if only so that nginx can
handle SSL ClientCert authentication simply for all three.
Postfix' (Any)Cert verification is so seamless anyway, I don't know what it
buts me.
I'd love to hear from anyone who's acutally doing, or done, this, or something
similar. Particularly if it all went smoothly, or there were any specific
deal-breakers.
