Emmanuel:
>Nginx is mainly a buffering HTTP proxy/reverse proxy and/or a HTTP TLS
>termination endpoint or raw N to 1 TCP proxy. ...
Nginx can also act very good as a mere TCP proxy with proxy protocol. I am not
terminating TLS on my VPS except for public websites served directly by t
Le 21/12/2023 à 10:03, Joachim Lindenberg via Postfix-users a écrit :
Emmanuel,
please read the thread
https://www.mail-archive.com/postfix-users@postfix.org/msg100852.html from the
beginning. SOCKS5 was already considered as an alternative to proxy protocol.
If you want to bash nginx then
Emmanuel,
please read the thread
https://www.mail-archive.com/postfix-users@postfix.org/msg100852.html from the
beginning. SOCKS5 was already considered as an alternative to proxy protocol.
If you want to bash nginx then please provide some substance. I am running
multiple instances of web
me tool could apply as is in another protocol proxying scenario.
HTTP is/support stateless end to end synchronous operations.
SMTP is a statefull protocol oriented for asynchronous end to end
operations.
What you want is a pure dedicated TCP proxy protocol. It is the only
viable solution fo
sed NAT in both directions in- and
> outbound, but I switched to use proxy protocol inbound as I am in fact now
> using two VPS in parallel. Outbound I am still stuck with NAT, and thus
> limited to use IPv4. I looked at several NAT6 variants and also NDP proxy,
> and all look both
Le 20/12/2023 à 20:53, Joachim Lindenberg via Postfix-users a écrit :
Wietse:
Obviously, nginx will not know the Postfix SMTP client protocol stage, and the
nginx settings will have to match the largest
Postfix timeouts to avoid persistent mail delivery problems with some sites.
Settings optima
Wietse:
>Obviously, nginx will not know the Postfix SMTP client protocol stage, and the
>nginx settings will have to match the largest
>Postfix timeouts to avoid persistent mail delivery problems with some sites.
>Settings optimal for Postfix may conflict with 'web' proxy usage.
There is no need
> to have a fixed ip with rDNS working.
>
> Wietse, can you please share use cases you have in mind besides
> the one I provided? I could try to do some testing.
The proxy protocol contains a protocol header, IP protocol version,
source address and port, destination address and port. Exce
>A Postfix implementation will have to work for other use cases, too. It would
>be good to know how nginx in forward proxy mode handles or >ignores client
>address and port info, now and in the forseeable future.
I double checked documentation at
https://nginx.org/en/docs/stream/ngx_stream_prox
Wietse Venema via Postfix-users wrote in
<4svjy117ywzj...@spike.porcupine.org>:
...
|I expect that a SOCKS5 client would not use much code, compared to
|the code that was needed with HaProxy.
Gaetan Bisson (former ArchLinux, a very smart math professor
Tahiti) has written a small LD_PRELOAD SO
Wietse
> This means that nginx ignores the source port in the proxy protocol.
> Is that documented somewhere?
Joachim Lindenberg:
> It does not ignore it, the variable exists. My configuration doesn't
> use it for outbound, as plenty of ports are in used, and dynamic
> is
>This means that nginx ignores the source port in the proxy protocol.
>Is that documented somewhere?
It does not ignore it, the variable exists. My configuration doesn´t use it for
outbound, as plenty of ports are in used, and dynamic is ok for the use case.
Does postfix have a dependency
mily in same format) of one of my VPS, and nginx chooses a dynamic
> source port.
This means that nginx ignores the source port in the proxy protocol.
Is that documented somewhere?
Does nginx also ignore the source IP address in the proxy protocol?
Is that documented somewhere?
How does the c
>Is there a technical spec of that protocol? Does it look in any way like
>HaProxy protocol version 1 or 2? What are the source IP address and port?
https://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#:~:text=Enables%20the%20PROXY%20protocol
links to the expected suspect (HaProxy)...
II
.200.1:12345 proxy_protocol;
> proxy_bind [$proxy_protocol_addr];
> proxy_pass [$proxy_protocol_server_addr]:$proxy_protocol_server_port;
> proxy_protocol off;
> }
> }
>
> Which essentially takes any TCP6 local client address and connects
> to
ddr];
proxy_pass [$proxy_protocol_server_addr]:$proxy_protocol_server_port;
proxy_protocol off;
}
}
Which essentially takes any TCP6 local client address and connects to any
server address, both part of the proxy protocol string/header, and both can be
"::", which eliminate
Joachim Lindenberg via Postfix-users:
> I'd like to challenge that. (HA) Proxy protocol essentially implies
> to connect to another configured address and then prepend a string
> with connection info to the TCP stream.
Indeed. The (HA) proxy accepts a connection from an arbit
Hello Wietse,
maybe I should tell I am using nginx for all my inbound proxy protocol needs
(HA is via multiple addresses in DNS), and my email test service uses proxy
protocol outbound as well. Before I picked proxy protocol for that use case I
checked SOCKS or HTTP proxies but perceived the
Wietse;
> inside Postfix -reverse haproxy-> remote MTAs in the Internet
> That is currently not implemented, and no design exists.
Joachim Lindenberg via Postfix-users:
> Hello Wietse,
> Yes, exactly, no second instance. Ok, implies I haven't overlooked
> something. Is this an option you are
), backup or just trust in your provider.
Thanks,
Joachim
-Ursprüngliche Nachricht-
Von: Wietse Venema via Postfix-users
Gesendet: Montag, 18. Dezember 2023 13:31
An: Postfix users
Betreff: [pfx] Re: Postfix using proxy protocol outbound?
Did you mean instead of
inside Postix -> outs
Did you mean instead of
inside Postix -> outside Postfix -> remote MTAs in the Internet
Use
inside Postfix -reverse haproxy-> remote MTAs in the Internet
Theat is currently not implemented, and no design exists.
Wietse
___
Postfix-us
I am running my postfix (mailcow) in my local network and interface to the
outside via a VPN that is terminated on a VPS with a static address with
adequate reputation. Historically I used NAT in both directions in- and
outbound, but I switched to use proxy protocol inbound as I am in fact now
so far, and also I don?t believe
> > ipv4 will go away soon for smtp in general. Moving to proxy protocol
> > would allow me to support ipv6 inbound (relevant for submission if at
> > all), but for sure I will not change my internal network to ipv6.
> > Nevertheless, I reall
will go away soon for smtp in general. Moving to proxy protocol
> would allow me to support ipv6 inbound (relevant for submission if at
> all), but for sure I will not change my internal network to ipv6.
> Nevertheless, I really don´t see any dependencies here that cannot be
> r
. Moving to proxy protocol would allow me to support ipv6 inbound
(relevant for submission if at all), but for sure I will not change my internal
network to ipv6.
Nevertheless, I really don´t see any dependencies here that cannot be resolved.
Parsing is text processing and data structures, not relying
On Wed, Aug 03, 2022 at 03:11:33PM +0200, Joachim Lindenberg wrote:
> I reconfigured one of my VPS to use the proxy protocol instead of NAT
> to forward external traffic to my postfix (postscreen). I have set up
> nginx to forward the TCP stream to port 10025 using proxy_protocol v1
&g
I reconfigured one of my VPS to use the proxy protocol instead of NAT to
forward external traffic to my postfix (postscreen). I have set up nginx to
forward the TCP stream to port 10025 using proxy_protocol v1 (afaik v2 is not
yet supported by nginx), and when connecting I am getting back the
HAProxy v2 support is now part of the regular Postfix 3.5 development release.
No support for CRC32, pending a fix in the HAProxy code.
Wietse
I've just tested it by spinning up an instance of this version behind an
AWS NLB and connecting to the load balancer from the outside - it worked
well, nevertheless I'd encourage others to test as well. Log snippets
follow:
# with smtpd_upstream_proxy_protocol defaulted to empty
postfix-test-7cbd5
Thank you Wietse, I will test this week and let you know.
On 1/6/20 12:42 AM, Wietse Venema wrote:
> You can test haproxy v2 protocol support in postfix-3.5-20200105-nonprod
> (http://ftp.porcupine.org/mirrors/postfix-release/index.html). I
> have done all the testing that I can do. It would be gr
You can test haproxy v2 protocol support in postfix-3.5-20200105-nonprod
(http://ftp.porcupine.org/mirrors/postfix-release/index.html). I
have done all the testing that I can do. It would be great is someone
can test it against some real haproxy client.
Haproxy v2 protocol support is limited to TC
Amazing. Thank you!
On 1/2/20 1:41 AM, Wietse Venema wrote:
Maybe you can try to implement v2 support ? Parsing v2 when v1 is already
supported is quite easy, especially at the same level of support (i.e. no
TLV field support for TLS or whatever). You can have a look at
conn_re
> > > Maybe you can try to implement v2 support ? Parsing v2 when v1 is already
> > > supported is quite easy, especially at the same level of support (i.e. no
> > > TLV field support for TLS or whatever). You can have a look at
> > > conn_recv_proxy() in haproxy:src/connection.c which supports the
Wietse Venema:
> Willy Tarreau:
> > On Tue, Dec 31, 2019 at 08:21:05AM +0100, Tam?s G?rczei wrote:
> > > Thanks Wietse, this is what I thought and found out during my
> > > experiments,That said, now knowing that only v1 is supported, may I ask
> > > whether you have considered implementing v2 supp
On Tue, Dec 31, 2019 at 11:38:06AM -0500, Wietse Venema wrote:
> I have a question about the v2 protocol spec.
>
> - \x0 : LOCAL : the connection was established on purpose by the
> proxy without being relayed. The connection endpoints are the
> sender and the receiver. Such connections
I have a question about the v2 protocol spec.
- \x0 : LOCAL : the connection was established on purpose by the proxy
without being relayed. The connection endpoints are the sender and the
receiver. Such connections exist when the proxy sends health-checks to the
server. The receiver
Many thanks in advance for all your efforts in this regard, Wietse!
On 12/31/19 5:08 PM, Wietse Venema wrote:
> Willy Tarreau:
>> On Tue, Dec 31, 2019 at 08:21:05AM +0100, Tam?s G?rczei wrote:
>>> Thanks Wietse, this is what I thought and found out during my
>>> experiments,That said, now knowing
Willy Tarreau:
> On Tue, Dec 31, 2019 at 08:21:05AM +0100, Tam?s G?rczei wrote:
> > Thanks Wietse, this is what I thought and found out during my
> > experiments,That said, now knowing that only v1 is supported, may I ask
> > whether you have considered implementing v2 support? I'm about to
> > mig
On Tue, Dec 31, 2019 at 10:34:14AM +0100, Tamás Gérczei wrote:
> Thanks Willy, I appreciate the clue and your helpful intention -
> unfortunately this isn't something I can personally do owing to lack of
> knowledge. I don't know whether the v1 implementation had been a
> community patch or somethi
Thanks Willy, I appreciate the clue and your helpful intention -
unfortunately this isn't something I can personally do owing to lack of
knowledge. I don't know whether the v1 implementation had been a
community patch or something Wietse or Viktor have done.
On 12/31/19 8:35 AM, Willy Tarreau wrot
On Tue, Dec 31, 2019 at 08:21:05AM +0100, Tamás Gérczei wrote:
> Thanks Wietse, this is what I thought and found out during my
> experiments,That said, now knowing that only v1 is supported, may I ask
> whether you have considered implementing v2 support? I'm about to
> migrate to a setup where I'm
On 12/30/19 9:38 PM, Wietse Venema wrote:
> Tam?s G?rczei:
>> Hello List,
>>
>> I'd like to ask if PROXY protocol v2 is supported by Postfix?
> It's not mentioned in documentation, therefore it is not supported.
> Ditto for memcached v2 protocol.
>
> Wietse
Tam?s G?rczei:
> Hello List,
>
> I'd like to ask if PROXY protocol v2 is supported by Postfix?
It's not mentioned in documentation, therefore it is not supported.
Ditto for memcached v2 protocol.
Wietse
Hello List,
I'd like to ask if PROXY protocol v2 is supported by Postfix?
Thanks,
Tamás
Pete:
> Hi curious if there are any plans for support for the proxy protocol v2?
Haproxy2, Memcache2, and the list goes on. Long wishlist, not a lot of time.
Wietse
Hi curious if there are any plans for support for the proxy protocol v2?
--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
ething when trying to leverage proxy protocol.
>
> in my main.cf i have the lines:
> smtpd_upstream_proxy_protocol = haproxy
> ...
> postscreen_upstream_proxy_protocol = haproxy
smtpd_upstream_proxy_protocol is not needed when the haproxy
handshake is already done in postscreen.
i have postscreen and smtpd running on the same box as submission, and
it seems i am missing something when trying to leverage proxy protocol.
in my main.cf i have the lines:
smtpd_upstream_proxy_protocol = haproxy
...
postscreen_upstream_proxy_protocol = haproxy
this seems to work, but after
On 06/03/2013 16:29, Wietse Venema wrote:
Laurent CARON:
When using the SSMTP port *and* send-proxy it fails.
...
Did I miss something obvious ?
Yes. Unlike (port 25) smtp and (port 587) submission, the obsolete
and deprecated ssmtp service has no plain-text phase before the TLS
handshake.
Laurent CARON:
> When using the SSMTP port *and* send-proxy it fails.
...
> Did I miss something obvious ?
Yes. Unlike (port 25) smtp and (port 587) submission, the obsolete
and deprecated ssmtp service has no plain-text phase before the TLS
handshake.
This means that an obsolete and deprecated s
tocol=haproxy
- add -o smtpd_upstream_proxy_timeout=5s
leading to the use og the proxy protocol only for submission but not for
SMTPS.
Did I miss something obvious ?
Thanks
Laurent
51 matches
Mail list logo
