PMG smtp behind nginx stream

B

b0xch

Member
Jun 10, 2021
1
0
6
28
Dear community!

I am currently trying to install Proxmox Mail Gateway behind a load balancer. This is because I have limited availability of public IP addresses and want to combine things.

Loadbalancer Public IP (example) 1.2.3.4
Loadbalancer internal IP: 10.0.0.1
PMG: 10.0.0.10

I am using nginx as a loadbalancer for HTTP/HTTPS and now added a tcp stream to the config.


NGINX: 
server {
    listen 25;
    
    proxy_pass 10.0.0.10:25;

    proxy_protocol on;
}

This works and PMG is answering on SMTP, however, it is now displaying the IP of the load balancer 10.0.0.1 instead of the real client/sender IP. This then causes SPF to fail.

Does anyone know if PMG supports the proxy_protocol to pass on the real IP? Do I need to change something in the config to make this work?

Thanks in advance,
Jan
 
Have never tried it - but see the postfix config reference:
http://www.postfix.org/postconf.5.html#smtpd_upstream_proxy_protocol
NOTE: To use the nginx proxy with smtpd(8), enable the XCLIENT protocol with smtpd_authorized_xclient_hosts. This supports SASL authentication in the proxy agent (Postfix 2.9 and later).
Click to expand...

In order to adapt the postfix configuration on PMG you need to use the templateing system:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine

One alternative option could be to simply use iptables to redirect/nat traffic to port 25 directly to PMG

I hope this helps!
 
Hello,

sorry to dig out that oul thread. I have the same problem as b0xch.

Due to infrastuctural limits, that are out of my control I need to put the PMG bahind a NGINX Reverse Proxy.

I enabled th porxy protocol on the NGINX and added smtpd_proxy_options as well as my smtpd_authorized_xclient_hosts to the main.cf.in template.
Problem is, that altough my NGINX is adding the original IP in the XCLIENT headers, still my NGINX IPs are used for SPF checks.

Is there a new way to handle these checks within PMG?

Thanks for any help,
Robin
 
T4keo said:
sorry to dig out that oul thread. I have the same problem as @b0xch.
Click to expand...
After 3 years opening a new thread would be preferred - so please open a new one if the following does not help in resolving the issue (I'll try to provide some more pointers - but keep in mind that this is not a supported scenario - so our experience with this might be limited):
* does nginx really use the xclient feature? https://www.postfix.org/XCLIENT_README.html (asking since you write that it sets some headers (which won't help for this)
* you should be able to get more information by adding -v to postscreen and all smtpd processes in master.cf:
https://www.postfix.org/DEBUG_README.html#verbose
(use the templateing system if you want to have it permanent:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine)

* make sure xclient is enabled in nginx: https://nginx.org/en/docs/mail/ngx_mail_core_module.html#mail

I hope this helps !
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom