3

During the last years I had an emailserver running for my small business without problems.

Now that my company has grown, I wanted to add a bit of redundancy and added a failover emailserver with a loadbalancer in front (haproxy).

All went fine until 1 week ago when we fell victim to spammers and i had to shut down everything. Using google a lot, I found out that a loadbalancer without the correct config converts my postfix into an open relay.

I would like to solve this and also found a lot of docs, but frankly now I'm a bit lost. I know that I have to add send-proxy in haproxy.cfg amongst other changes, but I just can't figure out how to add postscreen in order to harden postfix again.

Could anyone guide me or at least give me some link which I haven't found to a manual or tutorial of how this could be achieved?

I admit that I'm getting lost in the postfix official docs.

Many thanks in advance

Swisstone
  • 6,357
  • 7
  • 21
  • 32
Joe Silencio
  • 31
  • 1
  • 1
  • 6

2 Answers2

4

Maybe this helps somebody out. The configuraton of haproxy I do differently because I'm running inside a kubernetes cluster. But the configuration of postfix, you update two files, accordingly

master.cf

# Exposed SMTP service (postscreen support is needed to support the proxy protocol [search postscreen_upstream_proxy_protocol in main.cf])
smtp      inet  n       -       -       -       1       postscreen
smtpd     pass  -       -       -       -       -       smtpd

main.cf

# This is required to support the proxy protocol to acquire the correct source ip address from whoever is connecting to this server
# It's really important to get this information because otherwise ALL your connections will come from your internal ip address
# Guess what you allow to send emails, without question? Thats right! You're $mynetworks. Which means because you cannot get the
# correct source ip address, it permits EVERYBODY TO SEND EMAIL THROUGH YOUR SERVER! You basically become an open relay
postscreen_upstream_proxy_protocol = haproxy
postscreen_upstream_proxy_timeout = 5s
Christopher Thomas
  • 169
  • 11
1

SMTP through HAProxy usint TProxy

You would need to use TProxy in order to preserve the IP address of the client. search for tproxy This assumes the public IP is hitting haproxy.

Or just use MX

Another method would be to NAT port 25 from 2 public IP's and just use 2 MX records. The MTA's will deal with load balancing as well.

Aaron
  • 2,809
  • 2
  • 11
  • 29