How to pass connection's real IP through Nginx smtp proxy to Postfix/postscreen backend?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

How to pass connection's real IP through Nginx smtp proxy to Postfix/postscreen backend?

cyang
I run Postfix 3.3.1 & Nginx 1.15.0

Both work great.

I'm beginning to experiment with putting Postfix (and eventually other) server behind Nginx (v 1.15.0) setup as a mail (SMTP) proxy.

Without the proxy, Postfix logs show an inbound connection to my real IP

        Jun 21 12:12:31 mailprox postfix/postscreen[55634]: CONNECT from [74.125.142.27]:43757 to [192.0.2.1]:25

The way nginx gets configured for smtp proxy, even if I'm *NOT* doing any auth is to direct the connection to a "fake" auth_http destination,

        mail {
                ...
            auth_http 127.0.0.1:33001/dummy.php;
                ...
        }
        http {
                ...
                server {
                listen 127.0.0.1:33001;
                ...
                location ~ .php$ {
                        add_header Auth-Server 127.0.0.1;
                        add_header Auth-Port 33025;
                        return 200;
                }
                ...
        }

Switching over, the proxy is set up to listen on the real IP

        [192.0.2.1]:25

and passes to Postfix's postscreen which using the config above is listening on

        [127.0.0.1]:33025

What I see in the Postfix log is

        Jun 21 12:10:12 mailprox postfix/postscreen[55329]: CONNECT from [127.0.0.1]:31460 to [127.0.0.1]:33025
        Jun 21 12:10:12 mailprox postfix/postscreen[55329]: WHITELISTED [127.0.0.1]:31460

Mail does get delivered but postscreen is whitelisting the IP of the proxy, 127.0.0.1, and not using the real IP.

I need to somehow pass the Real-IP through to postscreen, and anything further downstream that'll need it.

For web server proxying I'd pass something like

        X-Forwarded-For

or

        X-Real-IP

to a downstream webserver listener.

What do I need for Postfix/Postscreen to correctly 'see' the Real IP?

A header added to the nginx config?  Some additional code in the auth_http? Something else?

Cheers!

Cy
Reply | Threaded
Open this post in threaded view
|

Re: How to pass connection's real IP through Nginx smtp proxy to Postfix/postscreen backend?

retheisen
On Thursday, June 21, 2018, 3:49:46 PM EDT, [hidden email] <[hidden email]> wrote:


I run Postfix 3.3.1 & Nginx 1.15.0

Both work great.

I'm beginning to experiment with putting Postfix (and eventually other) server behind Nginx (v 1.15.0) setup as a mail (SMTP) proxy.

Without the proxy, Postfix logs show an inbound connection to my real IP

    Jun 21 12:12:31 mailprox postfix/postscreen[55634]: CONNECT from [74.125.142.27]:43757 to [192.0.2.1]:25

The way nginx gets configured for smtp proxy, even if I'm *NOT* doing any auth is to direct the connection to a "fake" auth_http destination,

    mail {
        ...
        auth_http 127.0.0.1:33001/dummy.php;
        ...
    }
    http {
        ...
        server {
        listen 127.0.0.1:33001;
        ...
        location ~ .php$ {
            add_header Auth-Server 127.0.0.1;
            add_header Auth-Port 33025;
            return 200;
        }
        ...
    }

Switching over, the proxy is set up to listen on the real IP

    [192.0.2.1]:25

and passes to Postfix's postscreen which using the config above is listening on

    [127.0.0.1]:33025

What I see in the Postfix log is

    Jun 21 12:10:12 mailprox postfix/postscreen[55329]: CONNECT from [127.0.0.1]:31460 to [127.0.0.1]:33025
    Jun 21 12:10:12 mailprox postfix/postscreen[55329]: WHITELISTED [127.0.0.1]:31460

Mail does get delivered but postscreen is whitelisting the IP of the proxy, 127.0.0.1, and not using the real IP.

I need to somehow pass the Real-IP through to postscreen, and anything further downstream that'll need it.

For web server proxying I'd pass something like

    X-Forwarded-For

or

    X-Real-IP

to a downstream webserver listener.

What do I need for Postfix/Postscreen to correctly 'see' the Real IP?

A header added to the nginx config?  Some additional code in the auth_http? Something else?

Cheers!

Cy
Reply | Threaded
Open this post in threaded view
|

Re: How to pass connection's real IP through Nginx smtp proxy to Postfix/postscreen backend?

Bastian Blank-3
In reply to this post by cyang
On Thu, Jun 21, 2018 at 12:47:50PM -0700, [hidden email] wrote:
> I'm beginning to experiment with putting Postfix (and eventually other) server behind Nginx (v 1.15.0) setup as a mail (SMTP) proxy.

Why?

> What I see in the Postfix log is
> Jun 21 12:10:12 mailprox postfix/postscreen[55329]: CONNECT from [127.0.0.1]:31460 to [127.0.0.1]:33025
> Jun 21 12:10:12 mailprox postfix/postscreen[55329]: WHITELISTED [127.0.0.1]:31460

postscreen is designed to talk to the client directly.  Or at least
through transparent TCP proxies.  In the proxy case you need to use the
proxy protocol to provide client information.  However nginx is not a
TCP proxy, so not suitable for this kind of use.

You could use XCLIENT for connections to smtpd without postscreen.

> Cheers!

Please explain which problem you are trying to solve by using nginx.

Bastian

--
        "That unit is a woman."
        "A mass of conflicting impulses."
                -- Spock and Nomad, "The Changeling", stardate 3541.9
Reply | Threaded
Open this post in threaded view
|

Re: How to pass connection's real IP through Nginx smtp proxy to Postfix/postscreen backend?

Viktor Dukhovni
In reply to this post by cyang


> On Jun 21, 2018, at 3:47 PM, [hidden email] wrote:
>
> What do I need for Postfix/Postscreen to correctly 'see' the Real IP?

The simplest solution is to not stick a proxy in front of Postfix
if you can at all avoid it.  Is there a *compelling* reason to use
the proxy?

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: How to pass connection's real IP through Nginx smtp proxy to Postfix/postscreen backend?

Wietse Venema
Viktor Dukhovni:
>
>
> > On Jun 21, 2018, at 3:47 PM, [hidden email] wrote:
> >
> > What do I need for Postfix/Postscreen to correctly 'see' the Real IP?
>
> The simplest solution is to not stick a proxy in front of Postfix
> if you can at all avoid it.  Is there a *compelling* reason to use
> the proxy?

I can imagine several, and they involve running MTAs in disposable
VMs, containers, etc. behind a front-end that automatically routes
mail to disposable back-end servers that spin up or down as needed.

If nginx supports HaProxy protocol then that would be an option.

Or they could just use HaProxy to begin with.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: How to pass connection's real IP through Nginx smtp proxy to Postfix/postscreen backend?

cyang
On Fri, Jun 22, 2018, at 10:26 AM, Wietse Venema wrote:
> I can imagine several, and they involve running MTAs in disposable
> VMs, containers, etc. behind a front-end that automatically routes
> mail to disposable back-end servers that spin up or down as needed.
>
> If nginx supports HaProxy protocol then that would be an option.
>
> Or they could just use HaProxy to begin with.

Eventually, my goal is my MTA, and other server apps, in on-demand apps.

Not there yet, like I said just starting to expreiment.

I did find some old comments in the mailing list, and more in the docs, that postscreen does NOT support XCLIENT.

Then I read this too

  https://thehftguy.com/2016/10/03/haproxy-vs-nginx-why-you-should-never-use-nginx-for-load-balancing/

and switched to using haproxy instead.

So far it seems to be working in front of my single instance of Postfix/Postscreen jsut fine, passing the "Real IP" through like I'd hoped.

Now I need to watch it for awhile and see if I'm making *other* trouble for myself.

Cy