Re: [exim-dev] [exim-cvs] Proxy Protocol - Server support

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] [exim-cvs] Proxy Protocol - Server support
On Mon, Dec 02, 2013 at 08:25:29AM -0800, Todd Lyons wrote:

> >> +The proxy_required_hosts option will require any IP in that hostlist
> >> +to use Proxy Protocol. The specification of Proxy Protocol is very
> >> +strict, and if proxy negotiation fails, Exim will not allow any SMTP
> >> +command other than QUIT. (See end of this section for an example.)
> >> +The option is expanded when used, so it can be a hostlist as well as
> >> +string of IP addresses. Since it is expanded, specifying an alternate
> >> +separator is supported for ease of use with IPv6 addresses.
> >
> > No control variable which can be set in an acl_smtp_connect ACL? :)
>
> What would a control variable do for us? Once it gets to the ACL
> processing, the proxy negotiation has already failed. Is your
> contention that limiting to only the QUIT command is short sighted?
>
> The spec very clearly spells out that a connection must be configured
> to be a proxy connection, or a regular connection, and not do any kind
> of auto-detection. I followed that thought process to come to the
> conclusion that for a proxy configured host, it must pass, or no smtp
> commands are to be allowed. I welcome better suggestions.


For what it is worth, when the proxy protocol handshake fails
Postfix hangs up (drops the connection without even a 421). When
the proxy protocol fails, it is not possible to keep going.

The proxy preamble is not expected to fit into a single packet.
Buffered I/O is used to read a single CRLF-terminated line from
the proxy.

-- 
    Viktor.