PMG behind HAProxy with postscreen

William Edwards

William Edwards

Well-Known Member
Proxmox Subscriber
May 20, 2017
174
18
58
Netherlands
cyberfusion.io
I am going to load balance between two nodes in one PMG cluster with HAProxy. I want to use `postscreen` so that the 'Trusted networks' feature in PMG works. However, when I add `postscreen` to the Postfix `master.cf` like this, I'm not able to send mail:

Code: 
<postscreen port>       inet  n -       -       -       1      postscreen
  -o content_filter=scan:127.0.0.1:10023
  -o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=


I get the error message "Relay access denied" when I try to send mail via my postscreen port.

Where can I enable relaying with the trusted networks on another port in PMG?

Information about postscreen, HAProxy and SMTP:
https://www.haproxy.com/fr/blog/efficient-smtp-relay-infrastructure-with-postfix-and-load-balancers/
 
Last edited:
We use postscreen by default, so I do not really understand what you want to achieve.

I guess you just need to send mail to the internal/trusted smpt port (not the expernal).
 
dietmar said:
We use postscreen by default, so I do not really understand what you want to achieve.

I guess you just need to send mail to the internal/trusted smpt port (not the expernal).
Click to expand...
I am already sending mail to the internal port. postscreen is running on the external port. I have swapped 25 and 26.

What I want to achieve is that when I send mail to the internal port via a load balancer, I don't get "Relay access denied". It works perfectly fine when I send mail directly to the PMG node.
 
Last edited:
difficult (without access to you setup) ...

Besides, people normally simply use an MX record with multiple host, or DNS A record with multiple hosts ...
 
I believe he has an haproxy in front of pmg so he need to deal with.

postscreen_upstream_proxy_protocol = haproxy

and on the haproxy site you would add the send-proxy settings to the dedicated pmg maschine.

so the external IP gets transparent to pmg otherwise you would see the proxy’s ip which may most likely not being whitelisted to send mail from and also would be in beneficial with rbls anyway
 
I just had this running, so this is the settings if anybody needs it
(it is just an updated version of the cited very clear https://www.haproxy.com/de/blog/efficient-smtp-relay-infrastructure-with-postfix-and-load-balancers/ )


Code: 
frontend smtp-25
  bind *:25
  mode tcp
  timeout client 1m
  log global
  option tcplog
  default_backend backend_pmg

backend backend_pmg
  mode tcp
  log global
  timeout server 1m
  timeout connect 5s
  # the 'send-proxy' enable proxy protocol v1, which will transmit the original client's IP at the beginning of the session
  # (this is well supported by Proxmox Mail Gateway)
  server our-internal-pmg pmg.example.internal:25 send-proxy


I am not sure how to set those
Code: 
timeout
with a default installation of the Proxmox Mail Gateway options: does anybody have experience with it?
 
Last edited:
Fra said:
Code: 
...
  # the 'send-proxy' enable proxy protocol v1, which will transmit the original client's IP at the beginning of the session
  # (this is well supported by Proxmox Mail Gateway)
  server our-internal-pmg pmg.example.internal:25 send-proxy
Click to expand...

Please not that, as stated in the cited https://www.haproxy.com/de/blog/efficient-smtp-relay-infrastructure-with-postfix-and-load-balancers/, to have the Proxmox Mail Gateway (so for it's Postfix) able to understand the directive `send-proxy` (the 'proxy protocol') you must add this setting in the Postfix configuration

Code: 
postscreen_upstream_proxy_protocol = haproxy

Without that settings you would see a 502 5.5.2 Error: command not recognized when you test your SMTP connection with telnet smtp.myserver 25

Since this setting is not available in the Pmg GUI, you need to take advantage of https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine so

Code: 
cp /var/lib/pmg/templates/main.cf.in /etc/pmg/templates/
mkdir /etc/pmg/templates
echo "postscreen_upstream_proxy_protocol = haproxy" >> /etc/pmg/templates/main.cf.in
pmgconfig sync --restart 1

(to be honest I would like just to *add* the one line settings leaving control of the rest of the Postfix configuration free to change with o.s. upgrade, but I do not know how to do it :)
 
Last edited:
> but I do not know how to do it


well, I solved with a symbolic link (since the ABSOLUTE path option is not enabled in the template-toolkit), so the above can be replaced with


Code: 
mkdir /etc/pmg/templates
ln -s /var/lib/pmg/templates/main.cf.in /etc/pmg/templates/original_main.cf.in
echo '[% INCLUDE original_main.cf.in %]'            >  /etc/pmg/templates/main.cf.in
echo '# find me in /etc/pmg/templates/main.cf.in'   >> /etc/pmg/templates/main.cf.in
echo 'postscreen_upstream_proxy_protocol = haproxy' >> /etc/pmg/templates/main.cf.in
pmgconfig sync --restart 1


this way we don't lose any future updates on /var/lib/pmg/templates/main.cf.in


This works, but I am not sure is the proper approach to use templates: any suggestion?
 
Last edited:
Fra said:
This works, but I am not sure is the proper approach to use templates: any suggestion?
Click to expand...
symlinking /var/lib/pmg/templates/main.cf.in to /etc/pmg/templates makes no real sense - if you want to override settings copy the file and make your changes there

Since quite a while a package-upgrade will ask you if it detects that the shipped templates has changed and what to do with your modifications

Is this not enough for your use-case?
 
  • Like
Reactions: Fra
> Since quite a while a package-upgrade will ask you if it detects that the shipped templates has changed and what to do with your modifications

ah, you are right: this is debian (and not Centos)

plus this avoid warnings like ` overriding earlier entry:` everytime I execute `pmgconfig sync --restart `
 
  • Like
Reactions: Stoiko Ivanov
Fra said:
ah, you are right: this is debian (and not Centos)
Click to expand...
yes - debian does quite a nice job in tracking changes to config-files - in this case we added the tracking manually through `ucf` (to compare files in /var/lib to ones in /etc/)

anyways glad the solution works for you :)
 
  • Like
Reactions: Fra
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back