Unrecognized protocol header

I have a working Haproxy load balancer configure with postfix.
Mode: tcp
Haproxy version: 2.4.22
Postfix version: 3.5.8-7

I want to forward the client IP to postfix using the proxy protocols. So the client ip appears in the mail log and not haproxies.

I have added accept-proxy to the frontend bind.
I have added send-proxy to each backend node.
I have added the postfix main.cf with postscreen_upstream_proxy_protocol = haproxy
I have enabled postscreen in postfix master.cf and restarted both haproxy and postfix.

However, I get the following warnings and errors.

postfix/postscreen[123456]: warning: haproxy read: unrecognized protocol header: XXXXX TCP4 “haproxy ip” “client ip” 48024 25\r\n

Any help is greatly appreciated

This is probably wrong, if it is the frontend your external clients connect to; the proxy protocol is used between haproxy and postfix but not between the clients and haproxy and postfix.

I don’t know if that is the only issue. You’d have to post the full config to be sure.

Yes that is how I have it setup. I may not of been clear, it is a standard proxy setup for postfix. It works fine but in the mail log shows the proxies IP and not the clients IP. I understand the proxy protocol is between haproxy and postfix.
The only changes I make are what I posted in haproxy.cfg and postfix main/master.cf.

Like I said, you’d have to post the full config.

Here are the main stanza, the rest is boiler plate. Like I said the load balancer works fine, just not the proxy protocol.

smtp      inet  n       -       -       -       1       postscreen
smtpd     pass  -       -       -       -       -       smtpd

main.cf

postscreen_upstream_proxy_protocol = haproxy
postscreen_upstream_proxy_timeout = 5s

haproxy.cfg
....
frontend main

    bind x.x.x.x:25 accept-proxy
    mode tcp
    use_backend prx-postfix
    timeout client 1m
    log global
    option tcplog
    default_backend  prx-postfix

frontend main-587

    bind x.x.x.x:587 accept-proxy
    mode tcp
    use_backend prx-postfix-587
    timeout client 1m
    log global
    option tcplog
    default_backend  prx-postfix-587


backend prx-postfix
    balance roundrobin
    mode tcp
    timeout server 1m
    timeout connect  15s
    server      postfix1  x.x.x.x:25 check  agent-check agent-inter 60s  agent-addr x.x.x.x  agent-port 5000 send-proxy
    server      postfix2  x.x.x.x:25 check agent-check agent-inter 60s  agent-addr x.x.x.x  agent-port 5001 send-proxy


backend prx-postfix-587
    balance roundrobin
    mode tcp
    timeout server 1m
    timeout connect  15s
    server      postfix1  x.x.x.x:25 check  agent-check agent-inter 60s  agent-addr x.x.x.x  agent-port 5000 send-proxy
    server      postfix2  x.x.x.x:25 check agent-check agent-inter 60s  agent-addr x.x.x.x  agent-port 5001 send-proxy

accept-proxy does not belong in this configuration, like I said, you are not running the proxy protocol between SMTP clients and haproxy, so there does not belong any proxy configuration in the frontend sections of haproxy.

prx-postfix-587 appears to target the wrong port (25 instead of 587).

I’m not sure whether postfix requires version 2 of the proxy protocol. You may want to try send-proxy-v2 on the backend as a replacemente for send-proxy.

[quote=“Dav, post:5, topic:9688”]

frontend main-587

    bind x.x.x.x:587 accept-proxy

No it doesn’t

I modified the IP’s to protect them for this post in actuality they are port 587.

An thought of the warning.

Backend is correct in my actual configuration.
##############
I have tried both and V2 has a similar resulting error. Should be no difference right?

According to postfix documentation, proxy (v1) is supported since Postfix 2.10 and v2 since 3.5. So in your case it either way should be fine.

At this point it is unclear what is actually happening here.

Instead of postscreen try using smtpd in postfix configuration, to see if the error persists.

Maybe start with the error, unrecognized protocol in this case postscreen isn’t able to read the protocol correctly…my guess. This I suspect should be the actual IP for the client and haproxy along with some other info. Why XXXX.
“header: XXXXX TCP4 “haproxy ip” “client ip” 48024 25\r\n”

After a month of troubleshooting and trying to determine what the message meant. I found that when in TCP mode and using check in the backend to send to postfix. Postfix doesn’t understand the “check” from haproxy. Seems that HaProxy check is sending the wrong format or a format that Postfix doesn’t understand. Removing the “check” from the backend cfg resolves the error. In the postfix log I can then see the correct client connect and no error as above. My workaround is to use agent-check which is not preferable but should work

I have tried both same issue.

We have this config and everything is working.

HaProxy
server example 192.168.222.222:2525 weight 3 check port 2525 fall 3 rise 3 send-proxy

Postfix master.cf

2525      inet  n       -       n       -       -       smtpd
  -o smtpd_upstream_proxy_protocol=haproxy

We have choose to listen proxied connections on a different port (2525 rather than 25) to be possible to have different configurations if needed on default 25 and custom 2525 ports.

But at this moment we only have the smtpd_upstream_proxy_protocol configured differently; no config on 25 and haproxy config on 2525.

Pedro