HAProxy community

HAProxy - Email - Preserve Client IP

So we are using HAProxy to replace Microsoft Network Load Balancer in our email environment.

All functionality is working but I am seeing the LB IP as the source address for all incoming emails. I’ve been searching the internet for answers but I came here for some direction.

Setup -

I have frontends for ports 25,80,443,110,143,465,587,993,995

–config–
frontend 20.20.120.138_25_SMTP
bind 20.20.120.138:25 name 20.20.120.138:25
mode tcp
log global
timeout client 30000
default_backend 20.20.120.138-25_ipvANY

That is tied to backends created for each of the above frontends.

–config–
backend 20.20.120.138-25_ipvANY
mode tcp
id 105
log global
option log-health-checks
stick-table type ip size 100m expire 1d
stick on src
balance roundrobin
timeout connect 30000
timeout server 30000
retries 3
server Mail_1 20.20.120.133:25 id 101 check inter 1000
server Mail_2 20.20.120.134:25 id 102 check inter 1000
server Mail_3 20.20.120.132:25 id 103 check inter 1000

So what do I need to change to preserve client IPs?

I’ve seen that I should use one of the following options

option forwardfor
send-proxy
source 0.0.0.0 usesrc clientip

But I’m not finding config examples for this nor am I seeing the best reason for one over the other.

Hi,

for smtp traffic your only options are the PROXY protocol, and reusing the client IP address for backend connections.
PROXY protocol only works if your smtp service supports it. Reusing the client IP address for backend connections requires that your load balancer is on the default path when the server replies to the client IP address.

Can you provide the config changes that is needed on top of setting the gateway for my mail servers to be the HA Proxy server.

in this case
20.20.120.133
20.20.120.134
20.20.120.132

Each will have a gateway of

20.20.120.135

And then I’m guessing my server lines change to apply the send-proxy command

server Mail_1 20.20.120.133:25 id 101 send-proxy check inter 1000
server Mail_2 20.20.120.134:25 id 102 send-proxy check inter 1000
server Mail_3 20.20.120.132:25 id 103 send-proxy check inter 1000

Is that correct and do i need to do anything else?

Either you use the proxy protocol or you reuse the client IP.
for the former, send-proxy on server lines is enough. for the latter you use the source keyword on server lines on in the backend, some netfilter rules, and some ip rules. You can find an example here: https://www.haproxy.com/blog/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/