Re: Health check of postfix without the logging noise

Sat, 28 Jan 2023 07:43:17 -0800 

> On 28 Jan 2023, at 14:53, Wietse Venema <[email protected]> wrote:
> 
> Gerben Wierda:
>>> A proper health check verifies that a service actually responds.
>> 
>> True.
>> 
>>> You can find more with "haproxy health check script". For example,
>>> Postfix should reply with a "220" status within 5 seconds.
>> 
>> Thanks, I have been looking at how to set this up, but so far no
>> luck with the search engines...
> 
> HaProxy appears to have an smtpchk feature. Maybe it has been fixed
> to work with postscreen's unusual but legitimate 220- greeting.
> 
>       Wietse

With a bit of searching, finding the proxy protocol desscription, I've been 
able to create this in HAproxy. Example for haproxy-aware postscreen listening 
on port 991:

# Backend: mail.991 (postfix haproxy postscreen pool)
backend mail.991
    option log-health-checks
    # health check: port991-health-monitor
    option tcp-check
    tcp-check send "PROXY TCP4 192.168.2.2 192.168.2.2 65535 25\r\nQUIT\r\n"
    tcp-check expect rstring ^220
    mode tcp
    balance roundrobin

    # tuning options
    timeout connect 30s
    timeout check 10s
    timeout server 30s
    server foo-991 192.168.2.100:991 check inter 300s port 991  send-proxy
    server bar-991 192.168.2.101:991 check inter 300s port 991  send-proxy
This works for both postscreen and smtpd.

But the logging is of course still there:
Jan 28 15:20:31 snape submission/smtpd[19492]: connect from 
router.rna.nl[192.168.2.2]
Jan 28 15:20:31 snape submission/smtpd[19492]: disconnect from 
router.rna.nl[192.168.2.2] commands=0/0

I have to program HAproxy via a GUI (which overwrites the config) , and this 
does not accept true multiline answer/response. Which means that if I do the 
above trick with postscreen I probably get PREGREET if the haproxy machine is 
not already whitelisted. I wonder what happens if there is no whitelist yet.

Log now shows for every health check on my haproxy-enabled-postscreen (port 
991):

Jan 28 16:30:11 albus postfix/postscreen[4830]: CONNECT from 
[192.168.2.2]:65535 to [192.168.2.2]:25
Jan 28 16:30:11 albus postfix/postscreen[4830]: WHITELISTED [192.168.2.2]:65535
Jan 28 16:30:11 albus smtp/smtpd[4833]: connect from router.rna.nl[192.168.2.2]
Jan 28 16:30:12 albus smtp/smtpd[4833]: disconnect from 
router.rna.nl[192.168.2.2] quit=1 commands=1

and likewise, the haproxy-enabled-submission (port 990) check shows:

Jan 28 15:32:43 snape submission/smtpd[19528]: connect from 
router.rna.nl[192.168.2.2]
Jan 28 15:32:43 snape submission/smtpd[19528]: disconnect from 
router.rna.nl[192.168.2.2] quit=1 commands=1

Hmm. So now I've got decent health checks for postfix (dovecot is next). But 
still all that unnecessary logging... :-)

I'd still like a simple health check for postfix that isn't logged on postfix's 
end at all.

G

Reply via email to