Re: [exim] Proxy smtp connections to multiple Exim servers b…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Sebastian Arcus
Date:  
À: Evgeniy Berdnikov, exim-users
Sujet: Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On 15/04/2023 16:46, Evgeniy Berdnikov via Exim-users wrote:
> On Sat, Apr 15, 2023 at 12:53:54PM +0100, Sebastian Arcus via Exim-users wrote:
>> I have a number of Exim servers behind a NAT gateway (actually connected
>> with vpn's to a cloud vps - but I'm hoping this is not relevant to this
>> post). I would like the gateway to send incoming port 25 traffic to the
>> correct Exim server based on SNI in incoming TLS packets - as different Exim
>> instances serve different email domains. The setup would look like this:
>>
>>                        [Internet]
>>                            |
>>                            |
>>                      (smtp port 25)
>>                            |
>>                            v
>>                            |
>>                     [Cloud server]
>>                            |
>>                            v
>>                            |
>>         ----------------------------------------
>>         |                  |                   |
>>         |                  |                   |
>> [Exim server 1]    [Exim server 2]    [Exim server 3]

>>
>>
>> I would have preferred to do this at IP tables level - but apparently not
>> really possible.
>
> Well, iptables is not good tool for this, because it operates on OSI levels
> 3+4, while SNI is on the level 5. Iptables should select backend IP on the
> SYN packet, but SNI comes later.
>
> For your conditions problem is even more complex, because port 25 is for
> plain SMTP, but SNI can be passed after STARTTLS only. So load balancer
> should start plain SMTP session, do full dialog until client switches
> to TLS, and check whether client supply SNI during handshake. Note that
> SNI may be absent, this situation should be also processed carefully.
>
>> It seems the next option would be HAProxy. Has anyone here
>> used HAProxy or run a setup as above, or know if this is actually doable?
>
> Your scheme is theoretically possible, but I doubt it can be easily
> realized with generally used Haproxy or Nginx.
>
> My question is: why do you want to use so complicated scheme, while it's
> very simple task to set up a farm of Exim servers, each operating for
> several mail domains, with iptables-based balancer in front of them?


Would this be possible with different servers covering different email
domains? These servers belong to different organisations - hence why
each one hosts different domains.