Postfix anvil logs behind haproxy upstream

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix anvil logs behind haproxy upstream

plataleas

Hi all

We have submission enabled behind an haproxy. The setup works like a charm:

smtp01#cat /etc/postfix/master.cf
...
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o content_filter=smtp:[127.0.0.1]:10024
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_upstream_proxy_protocol=haproxy
  -o smtpd_sender_restrictions=permit_sasl_authenticated,reject_unauth_destination
..

haproxy01#cat /etc/haproxy/haproxy.cfg

frontend frontend_smtp.example.com-587
  bind x.x.x.x:587   # listening ip removed
  mode tcp
  default_backend backend_smtp.example.com-587
backend backend_smtp.example.com-587
  mode tcp
  balance source
  server smtp01.example.com smtp01.example.com:587 check send-proxy
  server smtp02.example.com smtp02.example.com:587 check send-proxy


smtp01 # postconf | grep mail_version

mail_version = 2.11.3

haproxy01 # haproxy -v

HA-Proxy version 1.5.8 2014/10/31


From the Postfix logs we see brute force attacks (173.220.99.186 is the client IP, not the haproxy IP) : 


smtp01# grep 'authentication failed'  /var/log/mail.log

May  1 16:10:55 smtp01 postfix/submission/smtpd[21376]: warning: ool-addc63ba.static.optonline.net[173.220.99.186]: SASL LOGIN authentication failed: authentication failure
May  1 16:10:55 smtp01 postfix/submission/smtpd[20989]: warning: ool-addc63ba.static.optonline.net[173.220.99.186]: SASL LOGIN authentication failed: authentication failure
May  1 16:10:56 smtp01 postfix/submission/smtpd[21376]: warning: ool-addc63ba.static.optonline.net[173.220.99.186]: SASL LOGIN authentication failed: authentication failure
May  1 16:10:57 smtp01 postfix/submission/smtpd[20989]: warning: ool-addc63ba.static.optonline.net[173.220.99.186]: SASL LOGIN authentication failed: authentication failure
May  1 16:10:58 smtp01 postfix/submission/smtpd[21376]: warning: ool-addc63ba.static.optonline.net[173.220.99.186]: SASL LOGIN authentication failed: authentication failure
May  1 16:10:59 smtp01 postfix/submission/smtpd[20989]: warning: ool-addc63ba.static.optonline.net[173.220.99.186]: SASL LOGIN authentication failed: authentication failure


We would like to implement rate limiting. However the anvil logs (anvil is used for rate limiting) are showing the haproxy IP instead of the client IP (in this example 173.220.99.186):

smtp01# grep anvil /var/log/mail.log

May  1 16:11:01 smtp01 postfix/anvil[23221]: statistics: max cache size 12 at May  1 16:01:05
May  1 16:21:01 smtp01 postfix/anvil[23221]: statistics: max connection rate 62/60s for (submission:a.b.c.d) at May  1 16:11:20
May  1 16:21:01 smtp01 postfix/anvil[23221]: statistics: max connection count 2 for (submission:a.b.c.d) at May  1 16:11:01
May  1 16:21:01 smtp01 postfix/anvil[23221]: statistics: max cache size 13 at May  1 16:11:44


a.b.c.d:  is against our expectations the haproxy IP.
-> we would expect that a.b.c.d is the SASL Login source client (in this example 173.220.99.186)

Did we miss something? Thanks a lot!

plataleas


Reply | Threaded
Open this post in threaded view
|

Re: Postfix anvil logs behind haproxy upstream

plataleas


the haproxy health checks produced the postfix/anvil logs.

After adding the haproxy IP to the "smtpd_client_event_limit_exeptions" the postfix/anvil logs showed correctly the originating IP of the brute force attacks.

smtpd_client_event_limit_exceptions = $mynetworks $haproxy




On 05/01/2017 05:43 PM, plataleas wrote:

Hi all

We have submission enabled behind an haproxy. The setup works like a charm:

smtp01#cat /etc/postfix/master.cf
...
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o content_filter=smtp:[127.0.0.1]:10024
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_upstream_proxy_protocol=haproxy
  -o smtpd_sender_restrictions=permit_sasl_authenticated,reject_unauth_destination
..

haproxy01#cat /etc/haproxy/haproxy.cfg

frontend frontend_smtp.example.com-587
  bind x.x.x.x:587   # listening ip removed
  mode tcp
  default_backend backend_smtp.example.com-587
backend backend_smtp.example.com-587
  mode tcp
  balance source
  server smtp01.example.com smtp01.example.com:587 check send-proxy
  server smtp02.example.com smtp02.example.com:587 check send-proxy


smtp01 # postconf | grep mail_version

mail_version = 2.11.3

haproxy01 # haproxy -v

HA-Proxy version 1.5.8 2014/10/31


From the Postfix logs we see brute force attacks (173.220.99.186 is the client IP, not the haproxy IP) : 


smtp01# grep 'authentication failed'  /var/log/mail.log

May  1 16:10:55 smtp01 postfix/submission/smtpd[21376]: warning: ool-addc63ba.static.optonline.net[173.220.99.186]: SASL LOGIN authentication failed: authentication failure
May  1 16:10:55 smtp01 postfix/submission/smtpd[20989]: warning: ool-addc63ba.static.optonline.net[173.220.99.186]: SASL LOGIN authentication failed: authentication failure
May  1 16:10:56 smtp01 postfix/submission/smtpd[21376]: warning: ool-addc63ba.static.optonline.net[173.220.99.186]: SASL LOGIN authentication failed: authentication failure
May  1 16:10:57 smtp01 postfix/submission/smtpd[20989]: warning: ool-addc63ba.static.optonline.net[173.220.99.186]: SASL LOGIN authentication failed: authentication failure
May  1 16:10:58 smtp01 postfix/submission/smtpd[21376]: warning: ool-addc63ba.static.optonline.net[173.220.99.186]: SASL LOGIN authentication failed: authentication failure
May  1 16:10:59 smtp01 postfix/submission/smtpd[20989]: warning: ool-addc63ba.static.optonline.net[173.220.99.186]: SASL LOGIN authentication failed: authentication failure


We would like to implement rate limiting. However the anvil logs (anvil is used for rate limiting) are showing the haproxy IP instead of the client IP (in this example 173.220.99.186):

smtp01# grep anvil /var/log/mail.log

May  1 16:11:01 smtp01 postfix/anvil[23221]: statistics: max cache size 12 at May  1 16:01:05
May  1 16:21:01 smtp01 postfix/anvil[23221]: statistics: max connection rate 62/60s for (submission:a.b.c.d) at May  1 16:11:20
May  1 16:21:01 smtp01 postfix/anvil[23221]: statistics: max connection count 2 for (submission:a.b.c.d) at May  1 16:11:01
May  1 16:21:01 smtp01 postfix/anvil[23221]: statistics: max cache size 13 at May  1 16:11:44


a.b.c.d:  is against our expectations the haproxy IP.
-> we would expect that a.b.c.d is the SASL Login source client (in this example 173.220.99.186)

Did we miss something? Thanks a lot!

plataleas



Reply | Threaded
Open this post in threaded view
|

Re: Postfix anvil logs behind haproxy upstream

Wietse Venema
plataleas:
>
> the haproxy health checks produced the postfix/anvil logs.
>
> After adding the haproxy IP to the "smtpd_client_event_limit_exeptions"
> the postfix/anvil logs showed correctly the originating IP of the brute
> force attacks.
>
> smtpd_client_event_limit_exceptions = $mynetworks $haproxy

Thanks, that makes sense. There is no way for the proxy's IP address
to leak into Postfix after a 'normal' HaProxy handshake.

        Wietse