On 15/04/2023 13:53, Jeremy Harris via Exim-users wrote:
> On 15/04/2023 12:53, Sebastian Arcus via Exim-users wrote:
>> I have a number of Exim servers behind a NAT gateway (actually
>> connected with vpn's to a cloud vps - but I'm hoping this is not
>> relevant to this post). I would like the gateway to send incoming port
>> 25 traffic to the correct Exim server based on SNI in incoming TLS
>> packets - as different Exim instances serve different email domains.
>> The setup would look like this:
>>
>> [Internet]
>> |
>> |
>> (smtp port 25)
>> |
>> v
>> |
>> [Cloud server]
>> |
>> v
>> |
>> ----------------------------------------
>> | | |
>> | | |
>> [Exim server 1] [Exim server 2] [Exim server 3]
>>
>>
>> I would have preferred to do this at IP tables level - but apparently
>> not really possible. It seems the next option would be HAProxy. Has
>> anyone here used HAProxy or run a setup as above, or know if this is
>> actually doable? Any suggestions much appreciated.
>>
>
> Exim does talk the inbound-proxy protocol tha HAProxy apparently uses
> (or can use):
> https://exim.org/exim-html-current/doc/html/spec_html/ch-proxies.html#SECTproxyInbound
>
>
> I can't really help on other HAProxy facilities or config though.
>
> Another option for you would be to use Exim itself as the fanout element
> at your
> "cloud server". It has visibility of the SNI and could use that for
> routing.
Thank you for the suggestions. I have considered using Exim itself as
the "proxy" at the front. One thing I have to figure out is SPF in
relation to Spamassassin. I think I would have to run Spamassassin on
the "proxy" Exim, as otherwise the IP address of the proxy will be added
to the headers during the delivery/relay process, and will probably
break the SPF checks in Spamassassin on the final Exim server in the
chain - I think?
> Indeed, if the configurations needed for the "Exim server N" elements
> are sufficiently
> similar and load & geography permits, you could collapse the lot into a
> single Exim.
I agree with you - except that there are some business / non-technical
reasons why this is not possibility in this case.