Same for front-smtp

This should enable postfix to have visibility on TLS usage and fix the
following: #1705

core/nginx/conf/nginx.conf

@@ -292,6 +292,9 @@ mail {
     pop3_capabilities TOP UIDL RESP-CODES PIPELINING AUTH-RESP-CODE USER;
     imap_capabilities IMAP4 IMAP4rev1 UIDPLUS SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+;
 
+    # ensure we talk HAPROXY protocol to the backends
+    proxy_protocol on;
+
     # Default SMTP server for the webmail (no encryption, but authentication)
     server {
       listen 10025;
@@ -338,7 +341,6 @@ mail {
       starttls only;
       {% endif %}
       protocol imap;
-      proxy_protocol on;
       imap_auth plain;
       auth_http_header Auth-Port 143;
     }
@@ -350,7 +352,6 @@ mail {
       starttls only;
       {% endif %}
       protocol pop3;
-      proxy_protocol on;
       pop3_auth plain;
       auth_http_header Auth-Port 110;
     }
@@ -379,7 +380,6 @@ mail {
       listen 993 ssl;
       listen [::]:993 ssl;
       protocol imap;
-      proxy_protocol on;
       imap_auth plain;
       auth_http_header Auth-Port 993;
     }
@@ -388,7 +388,6 @@ mail {
       listen 995 ssl;
       listen [::]:995 ssl;
       protocol pop3;
-      proxy_protocol on;
       pop3_auth plain;
       auth_http_header Auth-Port 995;
     }

core/postfix/conf/main.cf

@@ -22,6 +22,8 @@ alias_maps =
 # Podop configuration
 podop = socketmap:unix:/tmp/podop.socket:
 
+postscreen_upstream_proxy_protocol = haproxy
+
 # Only accept virtual emails
 mydestination =
 
@@ -37,9 +39,8 @@ smtp_sasl_tls_security_options = noanonymous
 # Recipient delimiter for extended addresses
 recipient_delimiter = {{ RECIPIENT_DELIMITER }}
 
-# Only the front server is allowed to perform xclient
-# In kubernetes and Docker swarm, such address cannot be determined using the hostname. Allow for the whole Mailu subnet instead.
-smtpd_authorized_xclient_hosts={{ SUBNET }}
+# We need to allow everything to do xclient and rely on front to filter-out "bad" requests
+smtpd_authorized_xclient_hosts=0.0.0.0/0 [::0]/0
 
 ###############
 # TLS

core/postfix/conf/master.cf

@@ -2,10 +2,10 @@
 #               (yes)   (yes)   (yes)   (never) (100)
 
 # Exposed SMTP service
-smtp      inet  n       -       n       -       -       smtpd
+smtp      inet  n       -       n       -       1       postscreen
 
 # Internal SMTP service
-10025     inet  n       -       n       -       -       smtpd
+10025     inet  n       -       n       -       1       postscreen
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_discard_ehlo_keywords=pipelining
   -o smtpd_client_restrictions=$check_ratelimit,reject_unlisted_sender,reject_authenticated_sender_login_mismatch,permit
@@ -44,6 +44,7 @@ verify    unix  -       -       n       -       1       verify
 flush     unix  n       -       n       1000?   0       flush
 proxymap  unix  -       -       n       -       -       proxymap
 smtp      unix  -       -       n       -       -       smtp
+smtpd     pass  -       -       n       -       -       smtpd
 relay     unix  -       -       n       -       -       smtp
 error     unix  -       -       n       -       -       error
 retry     unix  -       -       n       -       -       error
@@ -52,4 +53,3 @@ lmtp      unix  -       -       n       -       -       lmtp
 anvil     unix  -       -       n       -       1       anvil
 scache    unix  -       -       n       -       1       scache
 postlog   unix-dgram n  -       n       -       1       postlogd
-