On 26 Aug 2021, at 12:36, Jasen Betts via Exim-users <exim-users@???> wrote:
> On 2021-08-25, Sabahattin Gucukoglu via Exim-users <exim-users@???> wrote:
>> The doc says Exim recognises a proxy host by IP; does this mean I
>> can’t receive ordinary mail from it as a secondary MX? If not, how do
>> you think I ought to go about this?
>
> Tell the proxy protocol host to deliver email to it's own extenal ip
> address, that will cause it to open a proxy connection to the exim server.
Of course. Thanks! Presumably I’ll need to do some work to ensure TLS validation succeeds and that Exim doesn’t trip over any loop detection logic, but I’m not sure why I didn’t think of that.
>> What about if I extent this setup so that my mailer machine only makes outbound connections to the proxy host—can I still receive inbound mail, through a forwarded port perhaps? SSH seems like the obvious answer, but then I’d lose sender information, yes? I could use an inner VPN, perhaps. But something that only carries application-layer traffic would be nicer. Exim supports SOCKS, but not the bind method—perhaps that would be useful.
>
> I'm not sure what you mean.
Imagine the dynamic host has no means of listening to a routable address, perhaps because it is behind a CGNAT. Can I arrange it so that I only maintain (presumably health-checked with heartbeats) an outbound connection to the proxy host, but still receive SMTP traffic directed at the proxy host’s publicly-routed address(es), such that I get to keep sender information? I want to do this at the application-layer, if possible, since VPN access for the client is already protecting all of that machine’s traffic. Perhaps SOCKS bind support (connect to a SOCKS server, ask for a listening port) or running the proxy protocol inside another protocol, maybe SSH. Shall have to think some more about that.
Cheers,
Sabahattin