Hi All,
I’ve got a problem that has HAProxy in the mix, but I don’t know if it’s a HAProxy issue or something else - yes, I’m flying a little bit in the dark here groping around for at least the trail to a possible solution (ie sorry if this isn’t a HAProxy issue).
The Situation: Our Gateway Router (GR) has an internal address of 192.168.1.1. There is an Email (Postfix) server (ES) on the internal network. Email gets routed from the GR to a HAProxy box (HAP) which then forwards the email to the ES. We are receiving and sending Email AOK.
The issue is that the ES is reporting all mail as coming from 192.168.1.1, not the actual IP Address of the EMail source. This means that things like SPF can’t be checked for. The relevant HAProxy config is:
defaults defaults_common
log global
option dontlognull
option redispatch
option tcp-smart-connect
timeout client 1m
timeout connect 10s
timeout queue 30s
timeout server 1m
timeout tarpit 10s
mode tcp
balance leastconn
option tcplog
tcp-check connect
frontend frontend_mail_smtp from defaults_tcp
bind *:25
tcp-request content track-sc0 src table table_per_ip_connections
tcp-request inspect-delay 10s
use_backend backend_mail_smtp
backend table_per_ip_connections
stick-table type ip size 512k expire 1m store conn_cur,conn_rate(1m)
backend backend_mail_smtp from defaults_tcp
server mail mx01.mjb.pri:60025 send-proxy-v2
What I suspect is happening (ie I’m assuming) that HAProxy is rewritting the Email source IP Address with the GR’s IP Address - but as I said, that’s an assumption and I could be radically wrong.
So, can someone/anyone please point me in the correct direction - up to an including “This is not a HAProxy issue so look elsewhere”?
Thanks
Dulux-Oz
You already configured the proxy protocol between HAP and ES, that is why instead of the HAP ip address you are seeing the ip address of GR. So this is good.
Haproxy doesn’t know the original IP address, because it is lost at GR.
To be able to suggest a solution we would have to know what GR is and what software is running there.
For example if GR is another haproxy instance, the proxy protocol should be enabled there, between GR and HAP, just like it already is enabled between HAP and ES.
Damn!
The GW’s a SOHO Netcomm - no way is it going to have a sophisticated OS to implement something like Proxy Protocol.
Oh well, that’s what the client gets for being cheap - unless these some work-around that I haven’t thought of yet. 
Thanks for your help @lukastribus
Cheers
Dulux-Oz
If this is just a NAT gateway, it should not source NAT the IP address, but simple destination natting it to the GR.
Likely the GW just has excessive NAT configuration enabled.
You need to use the TPROXY protocol between HAProxy and Postfix
In the HAprxy config
server Postfix 10.10.10.10:25 check port 25 send-proxy
In the Postifx
smtpd_upstream_proxy_protocol=haproxy
And you should start to see the origin IP been used, logged, etc.
If you use direct connection to Postfix too - namely to port 25 - will be advised to create some other port to use with HAPRoxy one with the TPROXY protocol enabled and to be used for connections trough HAProxy and other for direct connections without TPROXY.
But I have a question: do you have more than one Postfix? If using only one, why the HAProxy in between and not expose the Postfix directly to the router?
Good luck, Pedro
He is already using the proxy protocol, you have misunderstood the question.
Also the proxy protocol and TPROXY is not the same, those are two different things.
His problem is that the router is replacing the source IP with the routers internal IP.