[SOLVED] PMG and HAproxy cookbook (IMAP, SMTP, POP3)
- Thread starter atec666
- Start date
yep, i know that i can nat to my 587 and 993 and 995 tcp port on my MX backend , but from the security point of view this is not very a good choice.i submit also to this questions, since i have a similar problem
@atec666 the other solution would map the port by nat from the host to the container
i.e.: using Port 4025 to lxc:25, 40143 to lxe:143 and so on?
DMZ are made for that. proxying ... as far as i know ....
this is the hell !
How do you have this setup running ?
My postfix and dovecot are on the same server, listenning on 587 and 993.
If i put my computer on the lan where postfix server is located : i can use Thunderbird . (receive server self certficate) and correctly authenticate, bind to dovecot and postfix (send & receive)
But with HAProxy it does not work ...
Do you have an example of correct setup ?
Here is my HAproxy setup :
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
# ca-base /etc/ssl/certs
# crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
# ssl-default-bind-ciphers ECDH+AESGCM
H+AESGCM:ECDH+AES256H+AES256:ECDH+AES128H+AES:RSA+AESGCM:R$# ssl-default-bind-options no-sslv3
defaults
log global
mode tcp
option dontlognull
timeout connect 5s
timeout client 1m
timeout server 1m
## IMAPs
frontend imaps
bind :993
default_backend imaps
backend imaps
server mx1.ilinux.lan20 10.20.20.31:993
## SMTPs (Submission)
frontend submission
bind :587
default_backend submission
backend submission
server mx1.ilinux.lan20 10.20.20.31:587
And the result on MX server :
Jul 20 17:33:02 mx1 postfix/submission/smtpd[1622]: connect from rpx2.ilinux.dmz10[10.10.10.52]
Jul 20 17:33:02 mx1 postfix/submission/smtpd[1622]: improper command pipelining after EHLO from rpx2.ilinux.dmz10[10.10.10.52]: QUIT\r\n
Jul 20 17:33:02 mx1 postfix/submission/smtpd[1622]: disconnect from rpx2.ilinux.dmz10[10.10.10.52] ehlo=1 quit=1 commands=2
Jul 20 17:33:02 mx1 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.10.10.52, lip=10.20.20.31, TLS: SSL_read() failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48, session=<WV73jh6OvJMKCgo0>
Jul 20 17:33:02 mx1 dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=10.10.10.52, lip=10.20.20.31, TLS, session=<x4/6jh6OwJMKCgo0>
Hi,
The simple way is to specify tcp as protocol without any ssl offloading certificates. If you do not specified the protocol, by default it use http.
client - haproxy (tcp:imap port) - mailserver (tcp:imap port)
good luck
The simple way is to specify tcp as protocol without any ssl offloading certificates. If you do not specified the protocol, by default it use http.
client - haproxy (tcp:imap port) - mailserver (tcp:imap port)
good luck
here is the cook "book" :
cat /etc/haproxy/haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
# ca-base /etc/ssl/certs
# crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
# ssl-default-bind-ciphers ECDH+AESGCMH+AESGCM:ECDH+AES256H+AES256:ECDH+AES128H+AES:RSA+AESGCM:RS$
# ssl-default-bind-options no-sslv3
defaults
log global
mode tcp
option dontlognull
timeout connect 5s
timeout client 1m
timeout server 1m
## POP3s
frontend pop3s
bind :995
default_backend pop3s
backend pop3s
balance leastconn
no option http-server-close
option tcplog
stick store-request src
stick-table type ip size 200k expire 30m
server mx-server <server_ip>:10995 send-proxy-v2
## IMAPs
frontend imaps
bind :993
default_backend imaps
backend imaps
balance leastconn
no option http-server-close
option tcplog
stick store-request src
stick-table type ip size 200k expire 30m
server mx-server <server_ip>:10993 send-proxy-v2
## SMTPs (Submission)
frontend submission
bind :587
default_backend submission
backend submission
balance leastconn
server mx-server <server_ip>:587
cat /etc/haproxy/haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
# ca-base /etc/ssl/certs
# crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
# ssl-default-bind-ciphers ECDH+AESGCM
H+AESGCM:ECDH+AES256H+AES256:ECDH+AES128H+AES:RSA+AESGCM:RS$# ssl-default-bind-options no-sslv3
defaults
log global
mode tcp
option dontlognull
timeout connect 5s
timeout client 1m
timeout server 1m
## POP3s
frontend pop3s
bind :995
default_backend pop3s
backend pop3s
balance leastconn
no option http-server-close
option tcplog
stick store-request src
stick-table type ip size 200k expire 30m
server mx-server <server_ip>:10995 send-proxy-v2
## IMAPs
frontend imaps
bind :993
default_backend imaps
backend imaps
balance leastconn
no option http-server-close
option tcplog
stick store-request src
stick-table type ip size 200k expire 30m
server mx-server <server_ip>:10993 send-proxy-v2
## SMTPs (Submission)
frontend submission
bind :587
default_backend submission
backend submission
balance leastconn
server mx-server <server_ip>:587
Last edited:
and for dovecot (no need to change postfix config i nmy case ... internal MX already doing STARTTLS)
in /etc/dovecot/conf.d/10-master.conf :
# here is the change :
haproxy_trusted_networks = 10.10.10.52/24
haproxy_timeout = 3
service imap-login {
inet_listener imap {
#port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
inet_listener imaps_haproxy {
port = 10993
ssl = yes
haproxy = yes
}
service pop3-login {
inet_listener pop3 {
#port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
inet_listener pop3s_haproxy {
port = 10995
ssl = yes
haproxy = yes
}
}
in /etc/dovecot/conf.d/10-master.conf :
# here is the change :
haproxy_trusted_networks = 10.10.10.52/24
haproxy_timeout = 3
service imap-login {
inet_listener imap {
#port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
inet_listener imaps_haproxy {
port = 10993
ssl = yes
haproxy = yes
}
service pop3-login {
inet_listener pop3 {
#port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
inet_listener pop3s_haproxy {
port = 10995
ssl = yes
haproxy = yes
}
}
OK, then rename your POST(add SOLVED + HAproxy cookbook)!
Congratulations, and many happy days with HAproxy!
Congratulations, and many happy days with HAproxy!