Hello Viktor,
thanks for looking into it.
I do have inet_protocols=ipv4 in main.cf, everything else should support ipv6
as mailcow in general does support ipv6, but due my NAT setup I decided not to
support ipv6 so far, and also I don´t believe ipv4 will go away soon for smtp
in general. Moving to proxy protocol would allow me to support ipv6 inbound
(relevant for submission if at all), but for sure I will not change my internal
network to ipv6.
Nevertheless, I really don´t see any dependencies here that cannot be resolved.
Parsing is text processing and data structures, not relying on kernel support
or settings. DNS reverse lookups of ipv6 addresses can be done via ipv4. If you
want to support smooth transitions, please do away with exceptions like this
one.
And at the minimum I think it is important to have this transparent for anyone
falling into the same trap. Took me some time to come up with an idea what´s
going wrong.
Thanks,
Joachim
-----Ursprüngliche Nachricht-----
Von: owner-postfix-us...@postfix.org <> Im Auftrag von Viktor Dukhovni
Gesendet: Mittwoch, 3. August 2022 17:04
An: postfix-users@postfix.org
Betreff: Re: postfix/postscreen with proxy protocol?
On Wed, Aug 03, 2022 at 03:11:33PM +0200, Joachim Lindenberg wrote:
> I reconfigured one of my VPS to use the proxy protocol instead of NAT
> to forward external traffic to my postfix (postscreen). I have set up
> nginx to forward the TCP stream to port 10025 using proxy_protocol v1
> (afaik v2 is not yet supported by nginx), and when connecting I am
> getting back the response “421 4.3.2 No system resources” and the log
> message
>
> haproxy/postscreen[903]: warning: haproxy read: unsupported protocol type:
> PROXY TCP6 2a00:f48:1003:3489::1 2a03:4000:6:1487:83b:12ff:fe79:c546 52700
> 25\r\n.
This happens when either:
- AF_INET6 is not defined in your system headers
- Your kernel has no IPv6 support
- Your "inet_protocols" parameter setting does not include "ipv6"
Most likely you have "inet_protocols = ipv4", which is not sufficient to handle
proxied IPv6 connections.
> Then in
> https://github.com/vdukhovni/postfix/blob/7240584ca17cdc3ea313bb72180e
> e265f01eb2b1/postfix/src/global/haproxy_srvr.c
> it looks like tcp6 support is compiled conditionally.
Only to the extent of requiring the system headers to define "AF_INET6", which
should not be an issue on any non-ancient system.
> My understanding is, that the proxied protocol is entirely independent
> of the protocols available locally.
Postfix still needs to be able to parse the address, attempt to resolve it to a
hostname, ...
--
Viktor.
