It's practically not possible to support both with and without haproxy
within postfix within one connection. The reason is that postfix
receives plain bytes with the TCP protocol. The interpretation of these
bytes can only be done by defining the protocol underneath. When you set
the protocol to use the haproxy proxy protocol, you basically tell
postfix to expect a binary header of a specific format (defined by
haproxy), which contains the source information and other things. I
guess this is why your proposition is kind of silly, in a way, because
it's kind of impossible to do with a modern protocol (proxy protocol)
combined with a protocol that has been there for like 40 years (smtp
protocol). Though I understand why you'd misunderstand it under "wishful
thinking". It would be nice.
Now with regards to your problem, the solution is easy. First, let's
establish that you using haproxy on the postfix interface basically
means that port 25 isn't usable anymore. The protocol is all different.
No MTA will be able to talk to this port. So, first step: Don't use port
25 directly. Online you'll find examples using port 10024. Up to you.
Now, your email server has port 10024 used for haproxy, for connections
coming from server online (and I assume you're doing this because you
want to maintain some SPF and MX record correctness on some public
server you're proxying through). But then the solution writes itself:
Connection coming from the "outside" should go to port 10024 (or
whatever you choose) in your local server through haproxy to be
"deproxied", per se. On the other hand, you get postfix to bind to port
25 normally, So postfix now maintains two ports for MTAs, 25 for the
smtpd service, and 10024 for postscreen, which will handle the proxy for
you. To have extra assurance, I think you can set client_restrictions on
port 25 to come only from your local subnet, so that no one can reach it
from the outside no matter what. Not sure how to do that, I guess the
postfix experts here can suggest a better way. Though this is an extra
precaution that most likely isn't necessary, since your router's
NAT/firewall will protect from connecting to port 25 from the outside,
but being paranoid, you can restrict it at the postfix level too. Up to you.
Best regards,
Sam
On 15/01/2023 6:59 PM, Gerben Wierda wrote:
On 15 Jan 2023, at 15:47, Wietse Venema <wie...@porcupine.org> wrote:
"The name of the proxy protocol used by a before-postscreen proxy agent."
That still doesn't tell you what the effect is of entering a value for
that setting while the traffic is not coming from a proxy. Normally,
when you enter config data for something you do not use it is
harmless. Basically, here, by setting the name here, you are also
turning it on. That is for me at least intuitively a side-effect.
Basically, I am looking for a setup where I can have postfix work when
part of the traffic (from the internet) is coming via a proxy whereas
local (LAN) traffic isn't. Probably not an option, I guess, but it
would make life a lot easier in my current situation.
G
