Fix authentication submission

Don't talk haproxy to postfix; it's more headaches than it is currently
worth.
main
Florent Daigniere 2 years ago
parent bba6c5bb88
commit 4d80c95c41

@ -292,9 +292,6 @@ mail {
pop3_capabilities TOP UIDL RESP-CODES PIPELINING AUTH-RESP-CODE USER; pop3_capabilities TOP UIDL RESP-CODES PIPELINING AUTH-RESP-CODE USER;
imap_capabilities IMAP4 IMAP4rev1 UIDPLUS SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+; imap_capabilities IMAP4 IMAP4rev1 UIDPLUS SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+;
# ensure we talk HAPROXY protocol to the backends
proxy_protocol on;
# Default SMTP server for the webmail (no encryption, but authentication) # Default SMTP server for the webmail (no encryption, but authentication)
server { server {
listen 10025; listen 10025;
@ -309,6 +306,8 @@ mail {
protocol imap; protocol imap;
smtp_auth plain; smtp_auth plain;
auth_http_header Auth-Port 10143; auth_http_header Auth-Port 10143;
# ensure we talk HAPROXY protocol to the backends
proxy_protocol on;
} }
# SMTP is always enabled, to avoid losing emails when TLS is failing # SMTP is always enabled, to avoid losing emails when TLS is failing
@ -343,6 +342,8 @@ mail {
protocol imap; protocol imap;
imap_auth plain; imap_auth plain;
auth_http_header Auth-Port 143; auth_http_header Auth-Port 143;
# ensure we talk HAPROXY protocol to the backends
proxy_protocol on;
} }
server { server {
@ -354,6 +355,8 @@ mail {
protocol pop3; protocol pop3;
pop3_auth plain; pop3_auth plain;
auth_http_header Auth-Port 110; auth_http_header Auth-Port 110;
# ensure we talk HAPROXY protocol to the backends
proxy_protocol on;
} }
server { server {
@ -382,6 +385,8 @@ mail {
protocol imap; protocol imap;
imap_auth plain; imap_auth plain;
auth_http_header Auth-Port 993; auth_http_header Auth-Port 993;
# ensure we talk HAPROXY protocol to the backends
proxy_protocol on;
} }
server { server {
@ -390,6 +395,8 @@ mail {
protocol pop3; protocol pop3;
pop3_auth plain; pop3_auth plain;
auth_http_header Auth-Port 995; auth_http_header Auth-Port 995;
# ensure we talk HAPROXY protocol to the backends
proxy_protocol on;
} }
{% endif %} {% endif %}
{% endif %} {% endif %}

@ -2,10 +2,10 @@
# (yes) (yes) (yes) (never) (100) # (yes) (yes) (yes) (never) (100)
# Exposed SMTP service # Exposed SMTP service
smtp inet n - n - 1 postscreen smtp inet n - n - 1 smtpd
# Internal SMTP service # Internal SMTP service
10025 inet n - n - 1 postscreen 10025 inet n - n - 1 smtpd
-o smtpd_sasl_auth_enable=yes -o smtpd_sasl_auth_enable=yes
-o smtpd_discard_ehlo_keywords=pipelining -o smtpd_discard_ehlo_keywords=pipelining
-o smtpd_client_restrictions=$check_ratelimit,reject_unlisted_sender,reject_authenticated_sender_login_mismatch,permit -o smtpd_client_restrictions=$check_ratelimit,reject_unlisted_sender,reject_authenticated_sender_login_mismatch,permit

@ -0,0 +1 @@
Don't talk haproxy to postfix yet.
Loading…
Cancel
Save