[exim-dev] [Bug 2018] proxy protocol is not supported on smt…

トップ ページ
このメッセージを削除
このメッセージに返信
著者: admin
日付:  
To: exim-dev
題目: [exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
https://bugs.exim.org/show_bug.cgi?id=2018

--- Comment #4 from Nenad Opsenica <nenad@???> ---
Just to describe my setup:
* haproxy to do "ssl passthrough" (i.e. running in TCP mode without SSL/TLS
offloading) from clients to imap and smtp/submission servers
* dovecot configuration, that uses this kind of setup works perfectly with
both StartTLS IMAP (port 143) and IMAPS (port 993).

Relevant configuration parts for TLS-on-connect case (port 993/imaps)

HAproxy:

listen imap
        bind :993
        mode tcp 
        option tcplog


        stick-table type ip size 200k expire 30m
        stick on src


        server mail2 mail2.local.net:10993 check-send-proxy send-proxy-v2


Dovecot:

  inet_listener imaps_haproxy {
    port = 10993
    ssl = yes
    haproxy = yes
  }



Similar setup with HAproxy and Exim for TLS-on-connect case (port 465) does not
work:

HAproxy:
listen smtp
        bind :465
        mode tcp 
        option tcplog


        stick-table type ip size 200k expire 30m
        stick on src


        server mail2 mail2.local.net:465 check-send-proxy send-proxy-v2



Exim configuration:

hosts_proxy = IP_address_of_HAproxy_server

Exim is patched with fix for proxy-v2 from
https://bugs.exim.org/show_bug.cgi?id=2003


When I changed function smtp_start_session() in smtp_in.c, to call
check_proxy_protocol_host() first, and then tls_server_start(), proxied session
was successfully detected (debug information showed IP address of end client),
but unfortunatelly TLS session was not started; obviously this can't be fixed
that 'easy' way.
But, it shows that HAproxy, when used with "TLS/SSL passthrough" mode prepends
unencrypted proxy header.

--
You are receiving this mail because:
You are on the CC list for the bug.