> On 15 Jan 2023, at 17:09, Wietse Venema <[email protected]> wrote:
>
> In that case, use two SMTP services, one that is proxied and one
> that is not.
Yes, in the meantime I had gathered that that was the obvious solution (should
have realised that earlier).
So, I added this in master.cf:
smtp inet n - n - 1 postscreen
991 inet n - n - 1 postscreen
-o postscreen_upstream_proxy_protocol=haproxy
smtpd pass - - n - - smtpd
-o syslog_name=smtp
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o syslog_name=submission
990 inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o syslog_name=submission
-o smtpd_upstream_proxy_protocol=haproxy
This way, I can connect to postscreen on port 25 without proxy and on port 991
via the proxy.
HAproxy config snippet:
# Backend: mail.rna.nl.991 (postfix haproxy postscreen pool)
backend mail.rna.nl.991
option log-health-checks
# health check: port991-health-monitor
mode tcp
balance roundrobin
# tuning options
timeout connect 5s
timeout check 5s
timeout server 5s
server snape-991 192.168.2.125:991 check inter 30s port 991 send-proxy
The only minor thing left is that postscreen keeps logging the health check
attempts as such:
Jan 15 17:20:09 snape postfix/postscreen[277]: warning: haproxy read: EOF
Is there something I can do about that?
G
