Re: [exim] Proxy smtp connections to multiple Exim servers b…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Jasen Betts
Date:  
À: exim-users
Sujet: Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On 2023-04-15, Sebastian Arcus via Exim-users <exim-users@???> wrote:
> On 15/04/2023 13:53, Jeremy Harris via Exim-users wrote:
>> On 15/04/2023 12:53, Sebastian Arcus via Exim-users wrote:
>>> I have a number of Exim servers behind a NAT gateway (actually
>>> connected with vpn's to a cloud vps - but I'm hoping this is not
>>> relevant to this post). I would like the gateway to send incoming port
>>> 25 traffic to the correct Exim server based on SNI in incoming TLS
>>> packets - as different Exim instances serve different email domains.
>>> The setup would look like this:
>>>
>>>                        [Internet]
>>>                            |
>>>                            |
>>>                      (smtp port 25)
>>>                            |
>>>                            v
>>>                            |
>>>                     [Cloud server]
>>>                            |
>>>                            v
>>>                            |
>>>         ----------------------------------------
>>>         |                  |                   |
>>>         |                  |                   |
>>> [Exim server 1]    [Exim server 2]    [Exim server 3]
>>>
>>>
>>> I would have preferred to do this at IP tables level - but apparently
>>> not really possible. It seems the next option would be HAProxy. Has
>>> anyone here used HAProxy or run a setup as above, or know if this is
>>> actually doable? Any suggestions much appreciated.
>>>
>>
>> Exim does talk the inbound-proxy protocol tha HAProxy apparently uses
>> (or can use):
>> https://exim.org/exim-html-current/doc/html/spec_html/ch-proxies.html#SECTproxyInbound
>>
>>
>> I can't really help on other HAProxy facilities or config though.
>>
>> Another option for you would be to use Exim itself as the fanout element
>> at your
>> "cloud server".  It has visibility of the SNI and could use that for
>> routing.
>
> Thank you for the suggestions. I have considered using Exim itself as
> the "proxy" at the front. One thing I have to figure out is SPF in
> relation to Spamassassin. I think I would have to run Spamassassin on
> the "proxy" Exim, as otherwise the IP address of the proxy will be added
> to the headers during the delivery/relay process, and will probably
> break the SPF checks in Spamassassin on the final Exim server in the
> chain - I think?


I think you're right exim supports HAPROXY and in the coming release
XCLIENT but (so far as I know), in both cases, only as an end point
not as an originator.


The solution to this may be ARC where the first exim checks the SPF
and DKIM and adds a header saying if they are good or not.


--
Jasen.
🇺🇦 Слава Україні