From 4d80c95c41a1e2046a37848d11947bf804c0bbab Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Tue, 3 Jan 2023 15:57:57 +0100
Subject: [PATCH] Fix authentication submission

Don't talk haproxy to postfix; it's more headaches than it is currently
worth.
---
 core/nginx/conf/nginx.conf       | 13 ++++++++++---
 core/postfix/conf/master.cf      |  4 ++--
 towncrier/newsfragments/2608.fix |  1 +
 3 files changed, 13 insertions(+), 5 deletions(-)
 create mode 100644 towncrier/newsfragments/2608.fix

diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 8bfddace..d1b4923e 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -292,9 +292,6 @@ mail {
     pop3_capabilities TOP UIDL RESP-CODES PIPELINING AUTH-RESP-CODE USER;
     imap_capabilities IMAP4 IMAP4rev1 UIDPLUS SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+;
 
-    # ensure we talk HAPROXY protocol to the backends
-    proxy_protocol on;
-
     # Default SMTP server for the webmail (no encryption, but authentication)
     server {
       listen 10025;
@@ -309,6 +306,8 @@ mail {
       protocol imap;
       smtp_auth plain;
       auth_http_header Auth-Port 10143;
+      # ensure we talk HAPROXY protocol to the backends
+      proxy_protocol on;
     }
 
     # SMTP is always enabled, to avoid losing emails when TLS is failing
@@ -343,6 +342,8 @@ mail {
       protocol imap;
       imap_auth plain;
       auth_http_header Auth-Port 143;
+      # ensure we talk HAPROXY protocol to the backends
+      proxy_protocol on;
     }
 
     server {
@@ -354,6 +355,8 @@ mail {
       protocol pop3;
       pop3_auth plain;
       auth_http_header Auth-Port 110;
+      # ensure we talk HAPROXY protocol to the backends
+      proxy_protocol on;
     }
 
     server {
@@ -382,6 +385,8 @@ mail {
       protocol imap;
       imap_auth plain;
       auth_http_header Auth-Port 993;
+      # ensure we talk HAPROXY protocol to the backends
+      proxy_protocol on;
     }
 
     server {
@@ -390,6 +395,8 @@ mail {
       protocol pop3;
       pop3_auth plain;
       auth_http_header Auth-Port 995;
+      # ensure we talk HAPROXY protocol to the backends
+      proxy_protocol on;
     }
     {% endif %}
     {% endif %}
diff --git a/core/postfix/conf/master.cf b/core/postfix/conf/master.cf
index 116633f1..86659460 100644
--- a/core/postfix/conf/master.cf
+++ b/core/postfix/conf/master.cf
@@ -2,10 +2,10 @@
 #               (yes)   (yes)   (yes)   (never) (100)
 
 # Exposed SMTP service
-smtp      inet  n       -       n       -       1       postscreen
+smtp      inet  n       -       n       -       1       smtpd
 
 # Internal SMTP service
-10025     inet  n       -       n       -       1       postscreen
+10025     inet  n       -       n       -       1       smtpd
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_discard_ehlo_keywords=pipelining
   -o smtpd_client_restrictions=$check_ratelimit,reject_unlisted_sender,reject_authenticated_sender_login_mismatch,permit
diff --git a/towncrier/newsfragments/2608.fix b/towncrier/newsfragments/2608.fix
new file mode 100644
index 00000000..850e647c
--- /dev/null
+++ b/towncrier/newsfragments/2608.fix
@@ -0,0 +1 @@
+Don't talk haproxy to postfix yet.