1 Topic by jackavin (edited by jackavin 2017-01-01 19:43:40)

  • jackavin
  • Member
  • Offline
  • Registered: 2016-05-25
  • Posts: 109

Topic: AWS ELB proxy protocol with dovecot

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.84
- Linux/BSD distribution name and version: debian 8 jessie
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  mysql
- Web server (Apache or Nginx): nginx
- Manage mail accounts with iRedAdmin-Pro? no
- Related log if you're reporting an issue:
====

I have enable proxy protocol but some how IMAP error ssl.
Any one success setting proxy protocol with aws elb.
Please guide me.

Thank you

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by jackavin

  • jackavin
  • Member
  • Offline
  • Registered: 2016-05-25
  • Posts: 109

Re: AWS ELB proxy protocol with dovecot

Done.

Just config more at firewall.

Thank you

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: AWS ELB proxy protocol with dovecot

Would you mind sharing the solution here?

4 Reply by jackavin (edited by jackavin 2017-01-05 14:43:39)

  • jackavin
  • Member
  • Offline
  • Registered: 2016-05-25
  • Posts: 109

Re: AWS ELB proxy protocol with dovecot

1. Enable Proxy Protocol at ELB
http://docs.aws.amazon.com/elasticloadb … tocol.html
port I enable
10995
10993

2. go to security allow 10995 10993
3. iptables allow port
iptables -A INPUT -p tcp -m tcp --dport 10995 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 10993 -j ACCEPT
service iptables save
4. nano /etc/dovecot/dovecot.conf

service imap-login {

       inet_listener {
         haproxy = yes
         port = 10993
         ssl = yes
       }
    }

then restart

http://wiki2.dovecot.org/HAProxy

5. change ELB listener
993 -> 10993
995 -> 10995
done.

5 Reply by jackavin

  • jackavin
  • Member
  • Offline
  • Registered: 2016-05-25
  • Posts: 109

Re: AWS ELB proxy protocol with dovecot

But no success with postfix with port 465 and 587.
if anyone make it work please share.

Thank you

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: AWS ELB proxy protocol with dovecot

According to your configuration, seems ELB is based on HAProxy.

jackavin wrote:

But no success with postfix with port 465 and 587.

Search "haproxy" here:
http://www.postfix.org/postconf.5.html

Our cluster solution uses HAProxy too, and it works. smile

7 Reply by jackavin

  • jackavin
  • Member
  • Offline
  • Registered: 2016-05-25
  • Posts: 109

Re: AWS ELB proxy protocol with dovecot

Can not success try everything.

nano /etc/postfix/master.cf
10587 inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o content_filter=smtp-amavis:[127.0.0.1]:10026

10465 inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o content_filter=smtp-amavis:[127.0.0.1]:10026
  -o smtpd_upstream_proxy_protocol=haproxy
  -o postscreen_upstream_proxy_protocol=haproxy

nano /etc/postfix/main.cf

# Proxy Protocal
#postscreen_upstream_proxy_protocol = haproxy
#postscreen_upstream_proxy_timeout = 1s
#smtpd_upstream_proxy_protocol = haproxy

when set postscreen_upstream_proxy_protocol = haproxy
error limit exceed

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: AWS ELB proxy protocol with dovecot

You better search 'haproxy' more times in that postfix doc page big_smile

9 Reply by jackavin

  • jackavin
  • Member
  • Offline
  • Registered: 2016-05-25
  • Posts: 109

Re: AWS ELB proxy protocol with dovecot

So tired to find try anything still the same.
Can you help I buy you 2 cups of coffee.

Thank you

10 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: AWS ELB proxy protocol with dovecot

You already found the parameters:

smtpd_upstream_proxy_protocol=haproxy
postscreen_upstream_proxy_protocol=haproxy

The key is, use "postscreen_upstream_proxy_protocol" for postscreen service, use "smtpd_upstream_proxy_protocol" for smtpd service. Don't use them both for one service.

That's it, simple?

11 Reply by jackavin (edited by jackavin 2017-01-06 22:18:41)

  • jackavin
  • Member
  • Offline
  • Registered: 2016-05-25
  • Posts: 109

Re: AWS ELB proxy protocol with dovecot

I have try but it's not working.

Do master.cf is correct?

12 Reply by jackavin (edited by jackavin 2017-01-07 01:24:41)

  • jackavin
  • Member
  • Offline
  • Registered: 2016-05-25
  • Posts: 109

Re: AWS ELB proxy protocol with dovecot

Help very close now but ssl error

10465 inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o content_filter=smtp-amavis:[127.0.0.1]:10026
  -o smtpd_upstream_proxy_protocol=haproxy

SSL_accept error from mail-oi0-f44.google.com[209.85.218.44]: lost connection

another error

connect from unknown[unknown]
Jan  7 00:05:12 mx2 postfix/smtps/smtpd[13552]: disconnect from unknown[unknown]
Jan  7 00:05:12 mx2 postfix/smtps/smtpd[13552]: warning: haproxy read: unexpected protocol header: \22\3\1\0\143\1\0\0\139\3\3\135\226\\f\219\0CN\188\162\167\140\1473d\234\23\31\23$
Jan  7 00:05:12 mx2 postfix/smtps/smtpd[13552]: connect from unknown[unknown]

13 Reply by jackavin

  • jackavin
  • Member
  • Offline
  • Registered: 2016-05-25
  • Posts: 109

Re: AWS ELB proxy protocol with dovecot

when use only 587

SASL PLAIN authentication failed:

14 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: AWS ELB proxy protocol with dovecot

For submission, we have:

submission inet n       -       n       -       -       smtpd
  ...
  -o smtpd_upstream_proxy_protocol=haproxy

On frontend server, HAProxy listens on port 587 (submission), and balance the requests to iRedMail servers. like this:

listen submission
    bind :587
    balance leastconn
    option tcp-check
    tcp-check connect send-proxy
    tcp-check expect rstring ^220

    server cont1 cont1.xxx.com:587 check send-proxy ...
    server cont2 cont2.xxx.com:587 check send-proxy ...
    server cont3 cont3.xxx.com:587 check send-proxy ...

It works well for us.

15 Reply by jackavin

  • jackavin
  • Member
  • Offline
  • Registered: 2016-05-25
  • Posts: 109

Re: AWS ELB proxy protocol with dovecot

Ok got it.
I have bought you coffee thank you.

But how to do with port 25 as well.

16 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: AWS ELB proxy protocol with dovecot

If you have postscreen enabled, postscreen is listening on port 25 instead of the normal smtpd service, so add 'postscreen_upstream_proxy_protocol = haproxy' in main.cf.

17 Reply by jackavin (edited by jackavin 2017-01-08 16:49:30)

  • jackavin
  • Member
  • Offline
  • Registered: 2016-05-25
  • Posts: 109

Re: AWS ELB proxy protocol with dovecot

I have error when use sometime
warning: haproxy read: timeout error
postfix/submission/smtpd[29952]: connect from unknown[unknown]

I have set timeout still error.

18 Reply by jackavin

  • jackavin
  • Member
  • Offline
  • Registered: 2016-05-25
  • Posts: 109

Re: AWS ELB proxy protocol with dovecot

I have search issue and they said to uncomment postscreen

#smtp      inet  n       -       n       -       1       postscreen

Can I do that?

19 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: AWS ELB proxy protocol with dovecot

If ELB uses smtp protocol for port 25, then you have to disable postscreen service.
You'd better contact Amazon support to make it clear.

20 Reply by jackavin

  • jackavin
  • Member
  • Offline
  • Registered: 2016-05-25
  • Posts: 109

Re: AWS ELB proxy protocol with dovecot

Maybe miss understood.

I have use 587 with haproxy for 10 hours and it error.
Don't know why? and have search they said I have to uncomment

#smtp      inet  n       -       n       -       1       postscreen

I have normal iredmail fresh install setting

21 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: AWS ELB proxy protocol with dovecot

I need to remind you that my settings were tested with HAProxy, not ELB, so it may not work well with ELB.

With "smtp ... postscreen" line enabled, port 25 is postscreen service, not normal smtp. So the protocol used to communicate between ELB/HAProxy and Postfix is different.

22 Reply by bzero

  • bzero
  • Member
  • Offline
  • Registered: 2015-11-24
  • Posts: 18

Re: AWS ELB proxy protocol with dovecot

Hello,

I am facing the same issue, my topology like this one,
Could you please give me advise how to fix it? Thanks a lot

External --------> (listen on 25, 587, 993) HAProxy ------>FWD (port 2525, 587, 10143) -----> iredmail

<<HAProxy.conf>>

listen submission
    bind public_ip:587
    balance leastconn
    option tcp-check
    tcp-check connect send-proxy
    tcp-check expect rstring ^220

server ired iredmail_ip:587 check send-proxy

frontend f_srvc_imap
    bind public_ip:143
    mode tcp
    default_backend b_srvc_imap

backend b_srvc_smtp
    mode tcp
    no option http-server-close
    log global
    option tcplog
    timeout server 1m
    timeout connect 5s
    server ired iredmail_ip:2525 send-proxy


<<master.cf>>
#<Section submission>

# Submission, port 587, force TLS connection.
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o content_filter=smtp-amavis:[127.0.0.1]:10026
  -o smtpd_upstream_proxy_protocol=haproxy


#<Section haproxy-smtp>

2525     inet  n       -       -       -       1       postscreen
-o postscreen_upstream_proxy_protocol = haproxy
-o postscreen_upstream_proxy_timeout = 50s


Postfix log showing as below (172.30.200.201 is Ip address on HAProxy)

Oct 17 06:06:28 snow postfix/submission/smtpd[2429]: disconnect from unknown[172.30.200.201] commands=0/0
Oct 17 06:06:31 snow postfix/submission/smtpd[2429]: connect from unknown[172.30.200.201]
Oct 17 06:06:31 snow postfix/submission/smtpd[2429]: lost connection after CONNECT from unknown[172.30.200.201]
Oct 17 06:06:31 snow postfix/submission/smtpd[2429]: disconnect from unknown[172.30.200.201] commands=0/0
Oct 17 06:06:33 snow postfix/submission/smtpd[2429]: connect from unknown[172.30.200.201]
Oct 17 06:06:33 snow postfix/submission/smtpd[2429]: lost connection after CONNECT from unknown[172.30.200.201]
Oct 17 06:06:33 snow postfix/submission/smtpd[2429]: disconnect from unknown[172.30.200.201] commands=0/0
Oct 17 06:06:35 snow postfix/submission/smtpd[2429]: connect from unknown[172.30.200.201]
Oct 17 06:06:35 snow postfix/submission/smtpd[2429]: lost connection after CONNECT from unknown[172.30.200.201]
Oct 17 06:06:35 snow postfix/submission/smtpd[2429]: disconnect from unknown[172.30.200.201] commands=0/0
Oct 17 06:06:37 snow postfix/submission/smtpd[2429]: connect from unknown[172.30.200.201]

23 Reply by bzero

  • bzero
  • Member
  • Offline
  • Registered: 2015-11-24
  • Posts: 18

Re: AWS ELB proxy protocol with dovecot

i figure out why it doesn't work.
the HAproxy needs to be set to use tcp mode in both front and backend.

Now external requests can hit postfix on iredmail server, but i am getting following error:

Oct 17 07:21:54 snow postfix/submission/smtpd[7469]: connect from unknown[211.246.103.71]
Oct 17 07:21:55 snow postfix/submission/smtpd[7469]: Anonymous TLS connection established from unknown[211.246.103.71]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Oct 17 07:21:55 snow postfix/submission/smtpd[7469]: disconnect from unknown[211.246.103.71] ehlo=1 starttls=1 quit=1 commands=3
Oct 17 07:22:05 snow postfix/submission/smtpd[7479]: disconnect from unknown[211.246.103.71] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 quit=1 commands=7
Oct 17 07:22:06 snow postfix/submission/smtpd[7469]: connect from unknown[211.246.103.71]
Oct 17 07:22:07 snow postfix/submission/smtpd[7469]: Anonymous TLS connection established from unknown[211.246.103.71]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Oct 17 07:22:08 snow postfix/submission/smtpd[7469]: 4698B1F92D: client=unknown[211.246.103.71], sasl_method=PLAIN, sasl_username=test@my_example.com

Could you please advise me how to fix it?

Thanks a lot.

24 Reply by bzero

  • bzero
  • Member
  • Offline
  • Registered: 2015-11-24
  • Posts: 18

Re: AWS ELB proxy protocol with dovecot

i think i found the issue, it can be related to letsencrypt i am using.
will be back later on this topic after testing.