[SOLVED] PMG and HAproxy cookbook (IMAP, SMTP, POP3)

atec666

Member
Mar 8, 2019
136
4
18
Issoire
Can Proxmox Mail Gateway help me for this ?
If not, which solution is the best for proxying IMAP/POP3/SMPT (993/995/587) to backend Mx server (placed on LAN area, and so behind my firewall)?
 
Last edited:
i submit also to this questions, since i have a similar problem
@atec666 the other solution would map the port by nat from the host to the container

i.e.: using Port 4025 to lxc:25, 40143 to lxe:143 and so on? :)
 
Last edited:
i submit also to this questions, since i have a similar problem
@atec666 the other solution would map the port by nat from the host to the container

i.e.: using Port 4025 to lxc:25, 40143 to lxe:143 and so on? :)
yep, i know that i can nat to my 587 and 993 and 995 tcp port on my MX backend , but from the security point of view this is not very a good choice.
DMZ are made for that. proxying ... as far as i know ....
 
this is the hell !
How do you have this setup running ?

My postfix and dovecot are on the same server, listenning on 587 and 993.
If i put my computer on the lan where postfix server is located : i can use Thunderbird . (receive server self certficate) and correctly authenticate, bind to dovecot and postfix (send & receive)
But with HAProxy it does not work ...
Do you have an example of correct setup ?

Here is my HAproxy setup :
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

# Default SSL material locations
# ca-base /etc/ssl/certs
# crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
# ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:R$
# ssl-default-bind-options no-sslv3


defaults
log global
mode tcp
option dontlognull
timeout connect 5s
timeout client 1m
timeout server 1m

## IMAPs
frontend imaps
bind :993
default_backend imaps

backend imaps
server mx1.ilinux.lan20 10.20.20.31:993

## SMTPs (Submission)
frontend submission
bind :587
default_backend submission

backend submission
server mx1.ilinux.lan20 10.20.20.31:587



And the result on MX server :
Jul 20 17:33:02 mx1 postfix/submission/smtpd[1622]: connect from rpx2.ilinux.dmz10[10.10.10.52]
Jul 20 17:33:02 mx1 postfix/submission/smtpd[1622]: improper command pipelining after EHLO from rpx2.ilinux.dmz10[10.10.10.52]: QUIT\r\n
Jul 20 17:33:02 mx1 postfix/submission/smtpd[1622]: disconnect from rpx2.ilinux.dmz10[10.10.10.52] ehlo=1 quit=1 commands=2
Jul 20 17:33:02 mx1 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.10.10.52, lip=10.20.20.31, TLS: SSL_read() failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48, session=<WV73jh6OvJMKCgo0>
Jul 20 17:33:02 mx1 dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=10.10.10.52, lip=10.20.20.31, TLS, session=<x4/6jh6OwJMKCgo0>
 
Hi,

The simple way is to specify tcp as protocol without any ssl offloading certificates. If you do not specified the protocol, by default it use http.

client - haproxy (tcp:imap port) - mailserver (tcp:imap port)

good luck
 
Hi,

The simple way is to specify tcp as protocol without any ssl offloading certificates. If you do not specified the protocol, by default it use http.

client - haproxy (tcp:imap port) - mailserver (tcp:imap port)

good luck
it's work .. just forget to forward (on fw) 10993 to LAN grrrhhhhhh !
 
here is the cook "book" :

cat /etc/haproxy/haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

# Default SSL material locations
# ca-base /etc/ssl/certs
# crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
# ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RS$
# ssl-default-bind-options no-sslv3

defaults
log global
mode tcp
option dontlognull
timeout connect 5s
timeout client 1m
timeout server 1m

## POP3s
frontend pop3s
bind :995
default_backend pop3s

backend pop3s
balance leastconn
no option http-server-close
option tcplog
stick store-request src
stick-table type ip size 200k expire 30m
server mx-server <server_ip>:10995 send-proxy-v2

## IMAPs
frontend imaps
bind :993
default_backend imaps

backend imaps
balance leastconn
no option http-server-close
option tcplog
stick store-request src
stick-table type ip size 200k expire 30m
server mx-server <server_ip>:10993 send-proxy-v2

## SMTPs (Submission)
frontend submission
bind :587
default_backend submission

backend submission
balance leastconn
server mx-server <server_ip>:587
 
Last edited:
and for dovecot (no need to change postfix config i nmy case ... internal MX already doing STARTTLS)
in /etc/dovecot/conf.d/10-master.conf :

# here is the change :

haproxy_trusted_networks = 10.10.10.52/24
haproxy_timeout = 3


service imap-login {
inet_listener imap {
#port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}

inet_listener imaps_haproxy {
port = 10993
ssl = yes
haproxy = yes
}



service pop3-login {
inet_listener pop3 {
#port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}

inet_listener pop3s_haproxy {
port = 10995
ssl = yes
haproxy = yes
}

}
 
  • Like
Reactions: guletz

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!