haproxy protocol ipv6 support?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

haproxy protocol ipv6 support?

cvandesande
I've been successfully using Postfix 3.3.1 behind an Haproxy for a few
weeks now, and while this is a minor complaint, I just wondered if it
was known.

I have dual-stack ipv4/v6 support enabled and as a result most of my
mail that comes from Google comes from an ipv6 address.

The IP address is not parsed properly I think in the haproxy protocol,
and I suspect that was fixed in send-proxy-v2 which I believe Postfix
doesn't support. If this is the case, are their plans to support the
haproxy v2 version of the proxy protocol?

# proxy protocol
smtpd_upstream_proxy_protocol = haproxy


# ipv4 message from Twitter, ip parsed perfectly:

2018-07-12T21:11:34.840559+00:00 mailgw postfix/smtpd[2224]: Anonymous
TLS connection established from
spring-chicken-bd.twitter.com[199.16.156.169]: TLSv1.2 with cipher
ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

# ipv6 message from Google, unknown (haproxy) ip appears:

2018-07-12T19:18:16.767204+00:00 mailgw postfix/smtpd[2138]: Anonymous
TLS connection established from unknown[172.18.0.1]: TLSv1.2 with cipher
ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

Chris

Reply | Threaded
Open this post in threaded view
|

Re: haproxy protocol ipv6 support?

Wietse Venema
[hidden email]:

> I've been successfully using Postfix 3.3.1 behind an Haproxy for a few
> weeks now, and while this is a minor complaint, I just wondered if it
> was known.
>
> I have dual-stack ipv4/v6 support enabled and as a result most of my
> mail that comes from Google comes from an ipv6 address.
>
> The IP address is not parsed properly I think in the haproxy protocol,
> and I suspect that was fixed in send-proxy-v2 which I believe Postfix
> doesn't support. If this is the case, are their plans to support the
> haproxy v2 version of the proxy protocol?

If someone has time to contribute code, I will consider it. Note
that there are two Postfix haproxy handlers: a blocking handler
for smtpd, and a non-blocking handler for postscreen.

The Postfix haproxy handlers will accept both IPv4 and IPv6. I have
no idea what send-proxy-v2 looks like, but if they did not complicate
things by switching to some non-text format, then it should be easy
to reuse most of that code for send-proxy-v2.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: haproxy protocol ipv6 support?

cvandesande
Thanks for the reply- information regarding the protocols can be found
here: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt

But to save time, they switched to a non-text format, as you said.

If I could code it I would :(

2.1. Human-readable header format (Version 1)

This is the format specified in version 1 of the protocol. It consists in one
line of US-ASCII text matching exactly the following block, sent immediately
and at once upon the connection establishment and prepended before any data
flowing from the sender to the receiver

2.2. Binary header format (version 2)

Producing human-readable IPv6 addresses and parsing them is very inefficient,
due to the multiple possible representation formats and the handling of compact
address format. It was also not possible to specify address families outside
IPv4/IPv6 nor non-TCP protocols. Another drawback of the human-readable format
is the fact that implementations need to parse all characters to find the
trailing CRLF, which makes it harder to read only the exact bytes count. Last,
the UNKNOWN address type has not always been accepted by servers as a valid
protocol because of its imprecise meaning.



On 12/07/18 22:44, Wietse Venema wrote:

> [hidden email]:
>> I've been successfully using Postfix 3.3.1 behind an Haproxy for a few
>> weeks now, and while this is a minor complaint, I just wondered if it
>> was known.
>>
>> I have dual-stack ipv4/v6 support enabled and as a result most of my
>> mail that comes from Google comes from an ipv6 address.
>>
>> The IP address is not parsed properly I think in the haproxy protocol,
>> and I suspect that was fixed in send-proxy-v2 which I believe Postfix
>> doesn't support. If this is the case, are their plans to support the
>> haproxy v2 version of the proxy protocol?
> If someone has time to contribute code, I will consider it. Note
> that there are two Postfix haproxy handlers: a blocking handler
> for smtpd, and a non-blocking handler for postscreen.
>
> The Postfix haproxy handlers will accept both IPv4 and IPv6. I have
> no idea what send-proxy-v2 looks like, but if they did not complicate
> things by switching to some non-text format, then it should be easy
> to reuse most of that code for send-proxy-v2.
>
> Wietse
Reply | Threaded
Open this post in threaded view
|

Re: haproxy protocol ipv6 support?

Wietse Venema
[hidden email]:

> Thanks for the reply- information regarding the protocols can be found
> here: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
>
> But to save time, they switched to a non-text format, as you said.
>
> If I could code it I would :(
>
> 2.1. Human-readable header format (Version 1)
>
> This is the format specified in version 1 of the protocol. It consists in one
> line of US-ASCII text matching exactly the following block, sent immediately
> and at once upon the connection establishment and prepended before any data
> flowing from the sender to the receiver
>
> 2.2. Binary header format (version 2)
>
> Producing human-readable IPv6 addresses and parsing them is very inefficient,
> due to the multiple possible representation formats and the handling of compact
> address format. It was also not possible to specify address families outside
> IPv4/IPv6 nor non-TCP protocols. Another drawback of the human-readable format
> is the fact that implementations need to parse all characters to find the
> trailing CRLF, which makes it harder to read only the exact bytes count. Last,
> the UNKNOWN address type has not always been accepted by servers as a valid
> protocol because of its imprecise meaning.

Right, they made it more complicated, because they could not bother
to use standard library functions to parse strings. At least I hope
they use network byte order, instead of something that happens to
work on X86.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: haproxy protocol ipv6 support?

Juha Koho
In reply to this post by cvandesande

On 12.7.2018 23:22, [hidden email] wrote:

> I've been successfully using Postfix 3.3.1 behind an Haproxy for a few
> weeks now, and while this is a minor complaint, I just wondered if it
> was known.
>
> I have dual-stack ipv4/v6 support enabled and as a result most of my
> mail that comes from Google comes from an ipv6 address.
>
> The IP address is not parsed properly I think in the haproxy protocol,
> and I suspect that was fixed in send-proxy-v2 which I believe Postfix
> doesn't support. If this is the case, are their plans to support the
> haproxy v2 version of the proxy protocol?

Hello,

Are you sure this really is the case? I have just similar setup with
Haproxy version 1.8.12 with backends using Postfix 3.3.0 and I'm seeing
correct IPv6 addresses in mail logs:

Jul 12 12:54:07 server postfix/smtpd[25942]: Anonymous TLS connection
established from mail-wm0-x23a.google.com[2a00:1450:400c:c09::23a]:
TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)

I'm using postscreen on the backends though with

postscreen_upstream_proxy_protocol=haproxy

smtpd_upstream_proxy_protocol is not set at all.

Regards,
Juha
Reply | Threaded
Open this post in threaded view
|

Re: haproxy protocol ipv6 support?

cvandesande
Oh that's interesting. Despite using Postfix for the last 10 or so
years, I've never looked at Postscreen.

I may give that a look when I have some more time. Cheers!


On 16/07/18 08:23, Juha Koho wrote:

>
> On 12.7.2018 23:22, [hidden email] wrote:
>> I've been successfully using Postfix 3.3.1 behind an Haproxy for a few
>> weeks now, and while this is a minor complaint, I just wondered if it
>> was known.
>>
>> I have dual-stack ipv4/v6 support enabled and as a result most of my
>> mail that comes from Google comes from an ipv6 address.
>>
>> The IP address is not parsed properly I think in the haproxy protocol,
>> and I suspect that was fixed in send-proxy-v2 which I believe Postfix
>> doesn't support. If this is the case, are their plans to support the
>> haproxy v2 version of the proxy protocol?
>
> Hello,
>
> Are you sure this really is the case? I have just similar setup with
> Haproxy version 1.8.12 with backends using Postfix 3.3.0 and I'm
> seeing correct IPv6 addresses in mail logs:
>
> Jul 12 12:54:07 server postfix/smtpd[25942]: Anonymous TLS connection
> established from mail-wm0-x23a.google.com[2a00:1450:400c:c09::23a]:
> TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
>
> I'm using postscreen on the backends though with
>
> postscreen_upstream_proxy_protocol=haproxy
>
> smtpd_upstream_proxy_protocol is not set at all.
>
> Regards,
> Juha