Thank you for your answer.
HAProxy is on the same machine. As you see in the bindings I shared that
are created by docker-compose, docker exposed ports are only allowed to
connect to localhost (127.0.0.1), which is why HAProxy can connect to it.
I gather that as long as HAProxy doesn't propagate its own view of the
network, then postfix in a docker container within a docker-compose
subnet will only see the internal subnet of the containers around it and
will never see anything from the outside as mynetworks. Meaning, I have
nothing to worry about. I hope I got this right.
Cheers,
Sam
On 14/12/2022 8:44 PM, Wietse Venema wrote:
On 14/12/2022 3:18 PM, Wietse Venema wrote:
mynetworks_style applies to local interface addresses, not proxied
ones.
Sam:
Thank you for the response.
One of the reasons for me asking this question is that I'm not fully
sure about the consequences of that.
If a future version of HAProxy propagates interface netmasks, then
we can revisit that in Postfix. Before that happens, Postfix does
not know remote subnet information.
Another one is that the documentation of postfix specifies that
this can be dangerous if connected to wide-area network, which
quite frankly I'm not sure about given the setup I described, given
that the proxy gives that kind of exposure. I would appreciate
your insight into whether I'm doing something wrong with the
decisions I made.
Depending on where Postfix is deployed, the subnet of a local WAN
interface may include IP addresses of other customers of the network
provider. This is why it is not safe to include those IP addresses
by default in the mynetworks setting.
Wietse
