Re: [exim] Proxy smtp connections to multiple Exim servers b…

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Sebastian Arcus
Data:  
Para: Jeremy Harris, exim-users
Asunto: Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On 15/04/2023 13:53, Jeremy Harris via Exim-users wrote:
> On 15/04/2023 12:53, Sebastian Arcus via Exim-users wrote:
>> I have a number of Exim servers behind a NAT gateway (actually
>> connected with vpn's to a cloud vps - but I'm hoping this is not
>> relevant to this post). I would like the gateway to send incoming port
>> 25 traffic to the correct Exim server based on SNI in incoming TLS
>> packets - as different Exim instances serve different email domains.
>> The setup would look like this:
>>
>>                        [Internet]
>>                            |
>>                            |
>>                      (smtp port 25)
>>                            |
>>                            v
>>                            |
>>                     [Cloud server]
>>                            |
>>                            v
>>                            |
>>         ----------------------------------------
>>         |                  |                   |
>>         |                  |                   |
>> [Exim server 1]    [Exim server 2]    [Exim server 3]
>>
>>
>> I would have preferred to do this at IP tables level - but apparently
>> not really possible. It seems the next option would be HAProxy. Has
>> anyone here used HAProxy or run a setup as above, or know if this is
>> actually doable? Any suggestions much appreciated.
>>
>
> Exim does talk the inbound-proxy protocol tha HAProxy apparently uses
> (or can use):
> https://exim.org/exim-html-current/doc/html/spec_html/ch-proxies.html#SECTproxyInbound
>
>
> I can't really help on other HAProxy facilities or config though.
>
> Another option for you would be to use Exim itself as the fanout element
> at your
> "cloud server".  It has visibility of the SNI and could use that for
> routing.


Thank you for the suggestions. I have considered using Exim itself as
the "proxy" at the front. One thing I have to figure out is SPF in
relation to Spamassassin. I think I would have to run Spamassassin on
the "proxy" Exim, as otherwise the IP address of the proxy will be added
to the headers during the delivery/relay process, and will probably
break the SPF checks in Spamassassin on the final Exim server in the
chain - I think?

> Indeed, if the configurations needed for the "Exim server N" elements
> are sufficiently
> similar and load & geography permits, you could collapse the lot into a
> single Exim.


I agree with you - except that there are some business / non-technical
reasons why this is not possibility in this case.