PMG behind HAProxy with postscreen

May 20, 2017
158
15
38
Netherlands
cyberfusion.nl
I am going to load balance between two nodes in one PMG cluster with HAProxy. I want to use `postscreen` so that the 'Trusted networks' feature in PMG works. However, when I add `postscreen` to the Postfix `master.cf` like this, I'm not able to send mail:

Code:
<postscreen port>       inet  n -       -       -       1      postscreen
  -o content_filter=scan:127.0.0.1:10023
  -o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=


I get the error message "Relay access denied" when I try to send mail via my postscreen port.

Where can I enable relaying with the trusted networks on another port in PMG?

Information about postscreen, HAProxy and SMTP:
https://www.haproxy.com/fr/blog/efficient-smtp-relay-infrastructure-with-postfix-and-load-balancers/
 
Last edited:

dietmar

Proxmox Staff Member
Staff member
Apr 28, 2005
17,124
521
133
Austria
www.proxmox.com
We use postscreen by default, so I do not really understand what you want to achieve.

I guess you just need to send mail to the internal/trusted smpt port (not the expernal).
 
May 20, 2017
158
15
38
Netherlands
cyberfusion.nl
We use postscreen by default, so I do not really understand what you want to achieve.

I guess you just need to send mail to the internal/trusted smpt port (not the expernal).
I am already sending mail to the internal port. postscreen is running on the external port. I have swapped 25 and 26.

What I want to achieve is that when I send mail to the internal port via a load balancer, I don't get "Relay access denied". It works perfectly fine when I send mail directly to the PMG node.
 
Last edited:

dietmar

Proxmox Staff Member
Staff member
Apr 28, 2005
17,124
521
133
Austria
www.proxmox.com
difficult (without access to you setup) ...

Besides, people normally simply use an MX record with multiple host, or DNS A record with multiple hosts ...
 

FGRO

Member
Jan 23, 2019
4
0
6
42
I believe he has an haproxy in front of pmg so he need to deal with.

postscreen_upstream_proxy_protocol = haproxy

and on the haproxy site you would add the send-proxy settings to the dedicated pmg maschine.

so the external IP gets transparent to pmg otherwise you would see the proxy’s ip which may most likely not being whitelisted to send mail from and also would be in beneficial with rbls anyway
 

Fra

Active Member
Dec 10, 2011
98
8
28
I just had this running, so this is the settings if anybody needs it
(it is just an updated version of the cited very clear https://www.haproxy.com/de/blog/efficient-smtp-relay-infrastructure-with-postfix-and-load-balancers/ )


Code:
frontend smtp-25
  bind *:25
  mode tcp
  timeout client 1m
  log global
  option tcplog
  default_backend backend_pmg

backend backend_pmg
  mode tcp
  log global
  timeout server 1m
  timeout connect 5s
  # the 'send-proxy' enable proxy protocol v1, which will transmit the original client's IP at the beginning of the session
  # (this is well supported by Proxmox Mail Gateway)
  server our-internal-pmg pmg.example.internal:25 send-proxy


I am not sure how to set those
Code:
timeout
with a default installation of the Proxmox Mail Gateway options: does anybody have experience with it?
 
Last edited:

Fra

Active Member
Dec 10, 2011
98
8
28
Code:
...
  # the 'send-proxy' enable proxy protocol v1, which will transmit the original client's IP at the beginning of the session
  # (this is well supported by Proxmox Mail Gateway)
  server our-internal-pmg pmg.example.internal:25 send-proxy

Please not that, as stated in the cited https://www.haproxy.com/de/blog/efficient-smtp-relay-infrastructure-with-postfix-and-load-balancers/, to have the Proxmox Mail Gateway (so for it's Postfix) able to understand the directive `send-proxy` (the 'proxy protocol') you must add this setting in the Postfix configuration

Code:
postscreen_upstream_proxy_protocol = haproxy

Without that settings you would see a 502 5.5.2 Error: command not recognized when you test your SMTP connection with telnet smtp.myserver 25

Since this setting is not available in the Pmg GUI, you need to take advantage of https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine so

Code:
cp /var/lib/pmg/templates/main.cf.in /etc/pmg/templates/
mkdir /etc/pmg/templates
echo "postscreen_upstream_proxy_protocol = haproxy" >> /etc/pmg/templates/main.cf.in
pmgconfig sync --restart 1

(to be honest I would like just to *add* the one line settings leaving control of the rest of the Postfix configuration free to change with o.s. upgrade, but I do not know how to do it :)
 
Last edited:

Fra

Active Member
Dec 10, 2011
98
8
28
> but I do not know how to do it


well, I solved with a symbolic link (since the ABSOLUTE path option is not enabled in the template-toolkit), so the above can be replaced with


Code:
mkdir /etc/pmg/templates
ln -s /var/lib/pmg/templates/main.cf.in /etc/pmg/templates/original_main.cf.in
echo '[% INCLUDE original_main.cf.in %]'            >  /etc/pmg/templates/main.cf.in
echo '# find me in /etc/pmg/templates/main.cf.in'   >> /etc/pmg/templates/main.cf.in
echo 'postscreen_upstream_proxy_protocol = haproxy' >> /etc/pmg/templates/main.cf.in
pmgconfig sync --restart 1


this way we don't lose any future updates on /var/lib/pmg/templates/main.cf.in


This works, but I am not sure is the proper approach to use templates: any suggestion?
 
Last edited:

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
6,968
1,080
164
This works, but I am not sure is the proper approach to use templates: any suggestion?
symlinking /var/lib/pmg/templates/main.cf.in to /etc/pmg/templates makes no real sense - if you want to override settings copy the file and make your changes there

Since quite a while a package-upgrade will ask you if it detects that the shipped templates has changed and what to do with your modifications

Is this not enough for your use-case?
 
  • Like
Reactions: Fra

Fra

Active Member
Dec 10, 2011
98
8
28
> Since quite a while a package-upgrade will ask you if it detects that the shipped templates has changed and what to do with your modifications

ah, you are right: this is debian (and not Centos)

plus this avoid warnings like ` overriding earlier entry:` everytime I execute `pmgconfig sync --restart `
 
  • Like
Reactions: Stoiko Ivanov

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
6,968
1,080
164
ah, you are right: this is debian (and not Centos)
yes - debian does quite a nice job in tracking changes to config-files - in this case we added the tracking manually through `ucf` (to compare files in /var/lib to ones in /etc/)

anyways glad the solution works for you :)
 
  • Like
Reactions: Fra

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!