How to configure postfix behind haproxy

haproxyhardeningpostfixvulnerability

During the last years I had an emailserver running for my small business without problems.

Now that my company has grown, I wanted to add a bit of redundancy and added a failover emailserver with a loadbalancer in front (haproxy).

All went fine until 1 week ago when we fell victim to spammers and i had to shut down everything. Using google a lot, I found out that a loadbalancer without the correct config converts my postfix into an open relay.

I would like to solve this and also found a lot of docs, but frankly now I'm a bit lost. I know that I have to add send-proxy in haproxy.cfg amongst other changes, but I just can't figure out how to add postscreen in order to harden postfix again.

Could anyone guide me or at least give me some link which I haven't found to a manual or tutorial of how this could be achieved?

I admit that I'm getting lost in the postfix official docs.

Many thanks in advance

Best Answer

Maybe this helps somebody out. The configuraton of haproxy I do differently because I'm running inside a kubernetes cluster. But the configuration of postfix, you update two files, accordingly

master.cf

# Exposed SMTP service (postscreen support is needed to support the proxy protocol [search postscreen_upstream_proxy_protocol in main.cf])
smtp      inet  n       -       -       -       1       postscreen
smtpd     pass  -       -       -       -       -       smtpd

main.cf

# This is required to support the proxy protocol to acquire the correct source ip address from whoever is connecting to this server
# It's really important to get this information because otherwise ALL your connections will come from your internal ip address
# Guess what you allow to send emails, without question? Thats right! You're $mynetworks. Which means because you cannot get the
# correct source ip address, it permits EVERYBODY TO SEND EMAIL THROUGH YOUR SERVER! You basically become an open relay
postscreen_upstream_proxy_protocol = haproxy
postscreen_upstream_proxy_timeout = 5s

Related Solutions

Mod_evasive behind HAPROXY

The problem you've run into is likely part of the design of mod_evasive: It's stats used for blocking are saved in each child process. So, if you are using the Prefork MPM and have MaxClients is set to 50, then connections to each of these 50 clients will be tracked independently.

Further, there is the MaxRequestsPerChild setting. Once this is reached, the child will be killed, and the stats along with it. So, in some cases, mod_evasive is simply not effective.

I'm sorry I don't have a better alternative to recommend at this point. I'm searching myself. ( I have not yet confirmed if it works any better with other MPMs, either. )

References:

How to directly access a server behind HAProxy

I guess your question is outdated, but for those who come after, heres how I did it:

we define some acl:

frontend http-in
acl has_server1_cookie  hdr_beg(cookie) server1

use_backend single_server1_backend if has_server1_cookie

and of course we have to define that backend:

backend single_server1_backend 
server server1.mywebsite.com 192.168.1.123:80 maxconn 32 check

we can even add to the backend section the following

reqadd backend:\ server1

which will tell haproxy to add to each request dispatched to server1 a http header

backend: server1

which is nice and eays for checking just to be sure that it actually works..

Best Answer

Related Solutions

Mod_evasive behind HAPROXY

How to directly access a server behind HAProxy

Related Topic