PMG behind HAProxy with postscreen

I am going to load balance between two nodes in one PMG cluster with HAProxy. I want to use `postscreen` so that the 'Trusted networks' feature in PMG works. However, when I add `postscreen` to the Postfix `master.cf` like this, I'm not able to send mail:

Code:
<postscreen port>       inet  n -       -       -       1      postscreen
  -o content_filter=scan:127.0.0.1:10023
  -o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=

I get the error message "Relay access denied" when I try to send mail via my postscreen port.

Where can I enable relaying with the trusted networks on another port in PMG?

Information about postscreen, HAProxy and SMTP:
https://www.haproxy.com/fr/blog/efficient-smtp-relay-infrastructure-with-postfix-and-load-balancers/
 
Last edited:

dietmar

Proxmox Staff Member
Staff member
Apr 28, 2005
16,529
328
103
Austria
www.proxmox.com
We use postscreen by default, so I do not really understand what you want to achieve.

I guess you just need to send mail to the internal/trusted smpt port (not the expernal).
 
We use postscreen by default, so I do not really understand what you want to achieve.

I guess you just need to send mail to the internal/trusted smpt port (not the expernal).
I am already sending mail to the internal port. postscreen is running on the external port. I have swapped 25 and 26.

What I want to achieve is that when I send mail to the internal port via a load balancer, I don't get "Relay access denied". It works perfectly fine when I send mail directly to the PMG node.
 
Last edited:

dietmar

Proxmox Staff Member
Staff member
Apr 28, 2005
16,529
328
103
Austria
www.proxmox.com
difficult (without access to you setup) ...

Besides, people normally simply use an MX record with multiple host, or DNS A record with multiple hosts ...
 

FGRO

New Member
Jan 23, 2019
4
0
1
40
I believe he has an haproxy in front of pmg so he need to deal with.

postscreen_upstream_proxy_protocol = haproxy

and on the haproxy site you would add the send-proxy settings to the dedicated pmg maschine.

so the external IP gets transparent to pmg otherwise you would see the proxy’s ip which may most likely not being whitelisted to send mail from and also would be in beneficial with rbls anyway
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!