Incoming mails are sent to me by the haproxy IP instead of the remote IP


#1

Hello everyone!
I’m new to haproxy, so I’ll tell you about my situation.
I have a NAT configured in my router on ports 25 and 443 which are sent to my haproxy, which in turn sends it to both my exchange servers.
So far, so good.
The problem I have is that the incoming mails are sent to me by the haproxy IP, instead of the public IP of the remote mail server.
Does anyone know how I should configure haproxy to show me the original IP address of the remote server that sends me the emails?
Thank you very much for any help!

Best regards
Gabriel

my config:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?serve$
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECD$
    ssl-default-bind-options no-sslv3

defaults
log global
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

option dontlognull # Do not log connections with no requests
option redispatch # Try another server in case of connection fai$
option contstats # Enable continuous traffic statistics updates
retries 3 # Try to connect up to 3 times in case of fail$
timeout connect 5s # 5 seconds max to connect or to stay in queue
timeout http-keep-alive 10s # 10 second max for the client to post next re$
timeout http-request 10s # 10 seconds max for the client to send a requ$
timeout queue 20s # 20 seconds max queued on load balancer
timeout tarpit 1m # tarpit hold tim
backlog 10000 # Size of SYN backlog queue

balance source #alctl: load balancing algorithm
mode tcp #alctl: protocol analyser
default-server inter 3s rise 2 fall 3 #alctl: default check parameters

frontend front_exch_tcp_https
bind 192.168.20.7:443 name https #alctl: listener$
maxconn 10000 #alctl: connecti$
default_backend back_exch_tcp_https #alctl: default $

backend back_exch_tcp_https
server s-mail00 10.10.8.6:443 maxconn 10000 check #alctl: server s$
server s-mail01 10.10.8.7:443 maxconn 10000 check #alctl: server s$

frontend front_exch_tcp_smtp
bind 192.168.20.7:25 name smtp #alctl: listener$
maxconn 10000 #alctl: connecti$
default_backend back_exch_tcp_smtp #alctl: default $

backend back_exch_tcp_smtp
server s-mail00 10.10.8.6:25 maxconn 10000 check #alctl: server s$
server s-mail01 10.10.8.7:25 maxconn 10000 check #alctl: server s$

listen stats
bind 0.0.0.0:1936
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /haproxy?stats
stats auth haproxy:sasasaasasasa


#2

The best method with HAProxy is to configure full TPROXY transparency mode - which requires two subnets and the Exchange servers using HAProxy as the default gateway:

At Loadbalancer.org we tend to use a Layer 4 Linux Virtual Server load balancer in Direct Routing mode just for the SMTP ports, as we find its far less likely to break Exchange on customer sites :-).