From 4ae0d7d768f6a166a7f0dd14a5e8b421558973f9 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Wed, 28 Dec 2022 14:17:00 +0100 Subject: [PATCH 1/6] Enable HAPROXY protocol in between front and imap With this we avoid running into the limitations of mail_max_userip_connections (see #894 amd #1364) and the logfiles as well as ``doveadm who`` give an accurate picture. --- core/admin/mailu/internal/views/dovecot.py | 2 +- core/dovecot/conf/dovecot.conf | 3 +++ core/nginx/conf/nginx.conf | 4 ++++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/core/admin/mailu/internal/views/dovecot.py b/core/admin/mailu/internal/views/dovecot.py index 07fce5b2..f9a07556 100644 --- a/core/admin/mailu/internal/views/dovecot.py +++ b/core/admin/mailu/internal/views/dovecot.py @@ -17,7 +17,7 @@ def dovecot_passdb_dict(user_email): return flask.jsonify({ "password": None, "nopassword": "Y", - "allow_nets": ",".join(allow_nets) + "allow_real_nets": ",".join(allow_nets) }) @internal.route("/dovecot/userdb/") diff --git a/core/dovecot/conf/dovecot.conf b/core/dovecot/conf/dovecot.conf index d9b85172..60c94238 100644 --- a/core/dovecot/conf/dovecot.conf +++ b/core/dovecot/conf/dovecot.conf @@ -11,6 +11,8 @@ default_internal_user = dovecot default_login_user = mail default_internal_group = dovecot +haproxy_trusted_networks = {{ SUBNET }} {{ SUBNET6 }} + ############### # Mailboxes ############### @@ -109,6 +111,7 @@ protocol pop3 { service imap-login { inet_listener imap { port = 143 + haproxy = yes } } diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf index b373fb13..7e5e7b5c 100644 --- a/core/nginx/conf/nginx.conf +++ b/core/nginx/conf/nginx.conf @@ -338,6 +338,7 @@ mail { starttls only; {% endif %} protocol imap; + proxy_protocol on; imap_auth plain; auth_http_header Auth-Port 143; } @@ -349,6 +350,7 @@ mail { starttls only; {% endif %} protocol pop3; + proxy_protocol on; pop3_auth plain; auth_http_header Auth-Port 110; } @@ -377,6 +379,7 @@ mail { listen 993 ssl; listen [::]:993 ssl; protocol imap; + proxy_protocol on; imap_auth plain; auth_http_header Auth-Port 993; } @@ -385,6 +388,7 @@ mail { listen 995 ssl; listen [::]:995 ssl; protocol pop3; + proxy_protocol on; pop3_auth plain; auth_http_header Auth-Port 995; } From 55c1e555294c4232b2d8385c67f1a9a81691dc26 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Wed, 28 Dec 2022 15:21:28 +0100 Subject: [PATCH 2/6] Same for front-smtp This should enable postfix to have visibility on TLS usage and fix the following: #1705 --- core/nginx/conf/nginx.conf | 7 +++---- core/postfix/conf/main.cf | 7 ++++--- core/postfix/conf/master.cf | 6 +++--- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf index 7e5e7b5c..7dc3be90 100644 --- a/core/nginx/conf/nginx.conf +++ b/core/nginx/conf/nginx.conf @@ -292,6 +292,9 @@ mail { pop3_capabilities TOP UIDL RESP-CODES PIPELINING AUTH-RESP-CODE USER; imap_capabilities IMAP4 IMAP4rev1 UIDPLUS SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+; + # ensure we talk HAPROXY protocol to the backends + proxy_protocol on; + # Default SMTP server for the webmail (no encryption, but authentication) server { listen 10025; @@ -338,7 +341,6 @@ mail { starttls only; {% endif %} protocol imap; - proxy_protocol on; imap_auth plain; auth_http_header Auth-Port 143; } @@ -350,7 +352,6 @@ mail { starttls only; {% endif %} protocol pop3; - proxy_protocol on; pop3_auth plain; auth_http_header Auth-Port 110; } @@ -379,7 +380,6 @@ mail { listen 993 ssl; listen [::]:993 ssl; protocol imap; - proxy_protocol on; imap_auth plain; auth_http_header Auth-Port 993; } @@ -388,7 +388,6 @@ mail { listen 995 ssl; listen [::]:995 ssl; protocol pop3; - proxy_protocol on; pop3_auth plain; auth_http_header Auth-Port 995; } diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf index 2f0275b7..474bf42c 100644 --- a/core/postfix/conf/main.cf +++ b/core/postfix/conf/main.cf @@ -22,6 +22,8 @@ alias_maps = # Podop configuration podop = socketmap:unix:/tmp/podop.socket: +postscreen_upstream_proxy_protocol = haproxy + # Only accept virtual emails mydestination = @@ -37,9 +39,8 @@ smtp_sasl_tls_security_options = noanonymous # Recipient delimiter for extended addresses recipient_delimiter = {{ RECIPIENT_DELIMITER }} -# Only the front server is allowed to perform xclient -# In kubernetes and Docker swarm, such address cannot be determined using the hostname. Allow for the whole Mailu subnet instead. -smtpd_authorized_xclient_hosts={{ SUBNET }} +# We need to allow everything to do xclient and rely on front to filter-out "bad" requests +smtpd_authorized_xclient_hosts=0.0.0.0/0 [::0]/0 ############### # TLS diff --git a/core/postfix/conf/master.cf b/core/postfix/conf/master.cf index bec96a30..116633f1 100644 --- a/core/postfix/conf/master.cf +++ b/core/postfix/conf/master.cf @@ -2,10 +2,10 @@ # (yes) (yes) (yes) (never) (100) # Exposed SMTP service -smtp inet n - n - - smtpd +smtp inet n - n - 1 postscreen # Internal SMTP service -10025 inet n - n - - smtpd +10025 inet n - n - 1 postscreen -o smtpd_sasl_auth_enable=yes -o smtpd_discard_ehlo_keywords=pipelining -o smtpd_client_restrictions=$check_ratelimit,reject_unlisted_sender,reject_authenticated_sender_login_mismatch,permit @@ -44,6 +44,7 @@ verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - n - - smtp +smtpd pass - - n - - smtpd relay unix - - n - - smtp error unix - - n - - error retry unix - - n - - error @@ -52,4 +53,3 @@ lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache postlog unix-dgram n - n - 1 postlogd - From 163261d95169ac55931e528caeb3795e19858396 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Wed, 28 Dec 2022 15:45:47 +0100 Subject: [PATCH 3/6] Towncrier --- towncrier/newsfragments/2603.bugfix | 1 + 1 file changed, 1 insertion(+) create mode 100644 towncrier/newsfragments/2603.bugfix diff --git a/towncrier/newsfragments/2603.bugfix b/towncrier/newsfragments/2603.bugfix new file mode 100644 index 00000000..7fdb9ef2 --- /dev/null +++ b/towncrier/newsfragments/2603.bugfix @@ -0,0 +1 @@ +Speak HAPROXY protocol in between front and smtp and front and imap. This ensures the backend is aware of the real client IP and whether TLS was used. From 7a2d06401af7694385a243a10f7d9ba5292df154 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Wed, 28 Dec 2022 16:05:39 +0100 Subject: [PATCH 4/6] Tweak postfix logging --- core/postfix/conf/main.cf | 1 + core/postfix/conf/rsyslog.conf | 2 ++ 2 files changed, 3 insertions(+) diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf index 474bf42c..32996095 100644 --- a/core/postfix/conf/main.cf +++ b/core/postfix/conf/main.cf @@ -23,6 +23,7 @@ alias_maps = podop = socketmap:unix:/tmp/podop.socket: postscreen_upstream_proxy_protocol = haproxy +compatibility_level=3.6 # Only accept virtual emails mydestination = diff --git a/core/postfix/conf/rsyslog.conf b/core/postfix/conf/rsyslog.conf index 6423eb4d..b1d2f389 100644 --- a/core/postfix/conf/rsyslog.conf +++ b/core/postfix/conf/rsyslog.conf @@ -31,6 +31,8 @@ module(load="imuxsock") # Discard messages from local test requests :msg, contains, "connect from localhost[127.0.0.1]" ~ :msg, contains, "connect from localhost[::1]" ~ +:msg, contains, "haproxy read: short protocol header: QUIT" ~ +:msg, contains, "discarding EHLO keywords: PIPELINING" ~ {% if POSTFIX_LOG_FILE %} # Log mail logs to file From 83ea70849018d175c3a60d2750f791fb9b705794 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Wed, 28 Dec 2022 16:26:46 +0100 Subject: [PATCH 5/6] fix healthcheck --- core/postfix/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/postfix/Dockerfile b/core/postfix/Dockerfile index dab4396c..df902dd4 100644 --- a/core/postfix/Dockerfile +++ b/core/postfix/Dockerfile @@ -15,7 +15,7 @@ COPY start.py / RUN echo $VERSION >/version EXPOSE 25/tcp 10025/tcp -HEALTHCHECK --start-period=350s CMD echo QUIT|nc localhost 25|grep "220 .* ESMTP Postfix" +HEALTHCHECK --start-period=350s CMD /usr/sbin/postfix status VOLUME ["/queue"] From 36b3a9f4fb1099d4477142c25f6e6ad2a8eef7c3 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Wed, 28 Dec 2022 17:05:34 +0100 Subject: [PATCH 6/6] Will fix it in another PR --- core/postfix/conf/rsyslog.conf | 2 -- 1 file changed, 2 deletions(-) diff --git a/core/postfix/conf/rsyslog.conf b/core/postfix/conf/rsyslog.conf index b1d2f389..6423eb4d 100644 --- a/core/postfix/conf/rsyslog.conf +++ b/core/postfix/conf/rsyslog.conf @@ -31,8 +31,6 @@ module(load="imuxsock") # Discard messages from local test requests :msg, contains, "connect from localhost[127.0.0.1]" ~ :msg, contains, "connect from localhost[::1]" ~ -:msg, contains, "haproxy read: short protocol header: QUIT" ~ -:msg, contains, "discarding EHLO keywords: PIPELINING" ~ {% if POSTFIX_LOG_FILE %} # Log mail logs to file