diff --git a/core/admin/mailu/internal/views/dovecot.py b/core/admin/mailu/internal/views/dovecot.py index 07fce5b2..f9a07556 100644 --- a/core/admin/mailu/internal/views/dovecot.py +++ b/core/admin/mailu/internal/views/dovecot.py @@ -17,7 +17,7 @@ def dovecot_passdb_dict(user_email): return flask.jsonify({ "password": None, "nopassword": "Y", - "allow_nets": ",".join(allow_nets) + "allow_real_nets": ",".join(allow_nets) }) @internal.route("/dovecot/userdb/") diff --git a/core/dovecot/conf/dovecot.conf b/core/dovecot/conf/dovecot.conf index d9b85172..60c94238 100644 --- a/core/dovecot/conf/dovecot.conf +++ b/core/dovecot/conf/dovecot.conf @@ -11,6 +11,8 @@ default_internal_user = dovecot default_login_user = mail default_internal_group = dovecot +haproxy_trusted_networks = {{ SUBNET }} {{ SUBNET6 }} + ############### # Mailboxes ############### @@ -109,6 +111,7 @@ protocol pop3 { service imap-login { inet_listener imap { port = 143 + haproxy = yes } } diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf index 2c2b568d..8bfddace 100644 --- a/core/nginx/conf/nginx.conf +++ b/core/nginx/conf/nginx.conf @@ -292,6 +292,9 @@ mail { pop3_capabilities TOP UIDL RESP-CODES PIPELINING AUTH-RESP-CODE USER; imap_capabilities IMAP4 IMAP4rev1 UIDPLUS SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+; + # ensure we talk HAPROXY protocol to the backends + proxy_protocol on; + # Default SMTP server for the webmail (no encryption, but authentication) server { listen 10025; diff --git a/core/postfix/Dockerfile b/core/postfix/Dockerfile index dab4396c..df902dd4 100644 --- a/core/postfix/Dockerfile +++ b/core/postfix/Dockerfile @@ -15,7 +15,7 @@ COPY start.py / RUN echo $VERSION >/version EXPOSE 25/tcp 10025/tcp -HEALTHCHECK --start-period=350s CMD echo QUIT|nc localhost 25|grep "220 .* ESMTP Postfix" +HEALTHCHECK --start-period=350s CMD /usr/sbin/postfix status VOLUME ["/queue"] diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf index 2f0275b7..32996095 100644 --- a/core/postfix/conf/main.cf +++ b/core/postfix/conf/main.cf @@ -22,6 +22,9 @@ alias_maps = # Podop configuration podop = socketmap:unix:/tmp/podop.socket: +postscreen_upstream_proxy_protocol = haproxy +compatibility_level=3.6 + # Only accept virtual emails mydestination = @@ -37,9 +40,8 @@ smtp_sasl_tls_security_options = noanonymous # Recipient delimiter for extended addresses recipient_delimiter = {{ RECIPIENT_DELIMITER }} -# Only the front server is allowed to perform xclient -# In kubernetes and Docker swarm, such address cannot be determined using the hostname. Allow for the whole Mailu subnet instead. -smtpd_authorized_xclient_hosts={{ SUBNET }} +# We need to allow everything to do xclient and rely on front to filter-out "bad" requests +smtpd_authorized_xclient_hosts=0.0.0.0/0 [::0]/0 ############### # TLS diff --git a/core/postfix/conf/master.cf b/core/postfix/conf/master.cf index bec96a30..116633f1 100644 --- a/core/postfix/conf/master.cf +++ b/core/postfix/conf/master.cf @@ -2,10 +2,10 @@ # (yes) (yes) (yes) (never) (100) # Exposed SMTP service -smtp inet n - n - - smtpd +smtp inet n - n - 1 postscreen # Internal SMTP service -10025 inet n - n - - smtpd +10025 inet n - n - 1 postscreen -o smtpd_sasl_auth_enable=yes -o smtpd_discard_ehlo_keywords=pipelining -o smtpd_client_restrictions=$check_ratelimit,reject_unlisted_sender,reject_authenticated_sender_login_mismatch,permit @@ -44,6 +44,7 @@ verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - n - - smtp +smtpd pass - - n - - smtpd relay unix - - n - - smtp error unix - - n - - error retry unix - - n - - error @@ -52,4 +53,3 @@ lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache postlog unix-dgram n - n - 1 postlogd - diff --git a/towncrier/newsfragments/2603.bugfix b/towncrier/newsfragments/2603.bugfix new file mode 100644 index 00000000..7fdb9ef2 --- /dev/null +++ b/towncrier/newsfragments/2603.bugfix @@ -0,0 +1 @@ +Speak HAPROXY protocol in between front and smtp and front and imap. This ensures the backend is aware of the real client IP and whether TLS was used.