Re: HAProxy + SMTP

From: Kevin Maziere - Amen <kevin.maziere#amen.fr>
Date: Thu, 10 Jan 2008 17:36:12 +0100


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello All,

I'm very interresting by transparent functionality of the balabit.com patc, for www and smtp.
I went to their website, and saw that the patch is available only for 2.4 kernel. (error 404 when I try to download it). Do you know a way to have same functionality on 2.6 kernel ? Or maybe balabit patch works on 2.6 too

kevin

Willy Tarreau a écrit :
> Hi,
>
> On Tue, Jan 08, 2008 at 12:05:43PM -0800, Michael Nguyen wrote:

>> So, I've recently moved to using HAProxy as a load balancer, but I've 
>> run into an issue with SMTP.  I have the following:
>>
>> HAProxy --> Many SMTP servers (front-end MX servers)
>>
>> The problem here comes with SPF and RBL checks.  The SMTP servers only 
>> see the IP address of the HAProxy load balancer and thus my SPF and RBL 
>> checks will never work.   Those of you who use HAProxy for SMTP traffic, 
>> what route do you take to solve this?

>
> This is a known limitation with proxies. To solve this, under Linux it
> is possible to apply the CTTPROXY patch to the kernel (from balabit.com)
> and build haproxy with USE_CTTPROXY=1. Using this, you will then have
> access to a new option "usesrc clientip" which will present the client's
> address to the servers by performing NAT in the kernel. Of course, for this
> you will have to configure your mail servers to route through haproxy for
> the responses to be NATed back.
>
> I've always wondered why SPF and RBL checks only apply to client's IP
> address. If those could apply to headers forwarded by intermediate proxies
> or relays, it should not be too hard to add an SMTP mode in haproxy to just
> add the client's IP address in a "received" header, just like what is done
> with the X-Forwarded-For header.
>
> Regards,
> Willy
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHhkl83871iH1VAboRAgmyAKCUOvjCLZRQKdlItD2AVQSjJkQvcQCeLgaC CN6I9VVMsBl344GtI0dzFms=
=ofYR
-----END PGP SIGNATURE----- Received on 2008/01/10 17:36

This archive was generated by hypermail 2.2.0 : 2008/01/10 17:45 CET