On Sat, Apr 15, 2023 at 12:53:54PM +0100, Sebastian Arcus via Exim-users wrote:
> I have a number of Exim servers behind a NAT gateway (actually connected
> with vpn's to a cloud vps - but I'm hoping this is not relevant to this
> post). I would like the gateway to send incoming port 25 traffic to the
> correct Exim server based on SNI in incoming TLS packets - as different Exim
> instances serve different email domains. The setup would look like this:
>
> [Internet]
> |
> |
> (smtp port 25)
> |
> v
> |
> [Cloud server]
> |
> v
> |
> ----------------------------------------
> | | |
> | | |
> [Exim server 1] [Exim server 2] [Exim server 3]
>
>
> I would have preferred to do this at IP tables level - but apparently not
> really possible.
Well, iptables is not good tool for this, because it operates on OSI levels
3+4, while SNI is on the level 5. Iptables should select backend IP on the
SYN packet, but SNI comes later.
For your conditions problem is even more complex, because port 25 is for
plain SMTP, but SNI can be passed after STARTTLS only. So load balancer
should start plain SMTP session, do full dialog until client switches
to TLS, and check whether client supply SNI during handshake. Note that
SNI may be absent, this situation should be also processed carefully.
> It seems the next option would be HAProxy. Has anyone here
> used HAProxy or run a setup as above, or know if this is actually doable?
Your scheme is theoretically possible, but I doubt it can be easily
realized with generally used Haproxy or Nginx.
My question is: why do you want to use so complicated scheme, while it's
very simple task to set up a farm of Exim servers, each operating for
several mail domains, with iptables-based balancer in front of them?
--
Eugene Berdnikov