On 2023-04-15, Sebastian Arcus via Exim-users <exim-users@???> wrote:
> On 15/04/2023 13:53, Jeremy Harris via Exim-users wrote:
>> On 15/04/2023 12:53, Sebastian Arcus via Exim-users wrote:
>>> I have a number of Exim servers behind a NAT gateway (actually
>>> connected with vpn's to a cloud vps - but I'm hoping this is not
>>> relevant to this post). I would like the gateway to send incoming port
>>> 25 traffic to the correct Exim server based on SNI in incoming TLS
>>> packets - as different Exim instances serve different email domains.
>>> The setup would look like this:
>>>
>>> [Internet]
>>> |
>>> |
>>> (smtp port 25)
>>> |
>>> v
>>> |
>>> [Cloud server]
>>> |
>>> v
>>> |
>>> ----------------------------------------
>>> | | |
>>> | | |
>>> [Exim server 1] [Exim server 2] [Exim server 3]
>>>
>>>
>>> I would have preferred to do this at IP tables level - but apparently
>>> not really possible. It seems the next option would be HAProxy. Has
>>> anyone here used HAProxy or run a setup as above, or know if this is
>>> actually doable? Any suggestions much appreciated.
>>>
>>
>> Exim does talk the inbound-proxy protocol tha HAProxy apparently uses
>> (or can use):
>> https://exim.org/exim-html-current/doc/html/spec_html/ch-proxies.html#SECTproxyInbound
>>
>>
>> I can't really help on other HAProxy facilities or config though.
>>
>> Another option for you would be to use Exim itself as the fanout element
>> at your
>> "cloud server". It has visibility of the SNI and could use that for
>> routing.
>
> Thank you for the suggestions. I have considered using Exim itself as
> the "proxy" at the front. One thing I have to figure out is SPF in
> relation to Spamassassin. I think I would have to run Spamassassin on
> the "proxy" Exim, as otherwise the IP address of the proxy will be added
> to the headers during the delivery/relay process, and will probably
> break the SPF checks in Spamassassin on the final Exim server in the
> chain - I think?
I think you're right exim supports HAPROXY and in the coming release
XCLIENT but (so far as I know), in both cases, only as an end point
not as an originator.
The solution to this may be ARC where the first exim checks the SPF
and DKIM and adds a header saying if they are good or not.
--
Jasen.
🇺🇦 Слава Україні