Unrecognized protocol header

Help!
1

I have a working Haproxy load balancer configure with postfix.
Mode: tcp
Haproxy version: 2.4.22
Postfix version: 3.5.8-7

I want to forward the client IP to postfix using the proxy protocols. So the client ip appears in the mail log and not haproxies.

I have added accept-proxy to the frontend bind.
I have added send-proxy to each backend node.
I have added the postfix main.cf with postscreen_upstream_proxy_protocol = haproxy
I have enabled postscreen in postfix master.cf and restarted both haproxy and postfix.

However, I get the following warnings and errors.

postfix/postscreen[123456]: warning: haproxy read: unrecognized protocol header: XXXXX TCP4 “haproxy ip” “client ip” 48024 25\r\n

Any help is greatly appreciated

2

This is probably wrong, if it is the frontend your external clients connect to; the proxy protocol is used between haproxy and postfix but not between the clients and haproxy and postfix.

I don’t know if that is the only issue. You’d have to post the full config to be sure.

3

Yes that is how I have it setup. I may not of been clear, it is a standard proxy setup for postfix. It works fine but in the mail log shows the proxies IP and not the clients IP. I understand the proxy protocol is between haproxy and postfix.
The only changes I make are what I posted in haproxy.cfg and postfix main/master.cf.

4

Like I said, you’d have to post the full config.

5

Here are the main stanza, the rest is boiler plate. Like I said the load balancer works fine, just not the proxy protocol.

smtp      inet  n       -       -       -       1       postscreen
smtpd     pass  -       -       -       -       -       smtpd

main.cf

postscreen_upstream_proxy_protocol = haproxy
postscreen_upstream_proxy_timeout = 5s

haproxy.cfg
....
frontend main

    bind x.x.x.x:25 accept-proxy
    mode tcp
    use_backend prx-postfix
    timeout client 1m
    log global
    option tcplog
    default_backend  prx-postfix

frontend main-587

    bind x.x.x.x:587 accept-proxy
    mode tcp
    use_backend prx-postfix-587
    timeout client 1m
    log global
    option tcplog
    default_backend  prx-postfix-587


backend prx-postfix
    balance roundrobin
    mode tcp
    timeout server 1m
    timeout connect  15s
    server      postfix1  x.x.x.x:25 check  agent-check agent-inter 60s  agent-addr x.x.x.x  agent-port 5000 send-proxy
    server      postfix2  x.x.x.x:25 check agent-check agent-inter 60s  agent-addr x.x.x.x  agent-port 5001 send-proxy


backend prx-postfix-587
    balance roundrobin
    mode tcp
    timeout server 1m
    timeout connect  15s
    server      postfix1  x.x.x.x:25 check  agent-check agent-inter 60s  agent-addr x.x.x.x  agent-port 5000 send-proxy
    server      postfix2  x.x.x.x:25 check agent-check agent-inter 60s  agent-addr x.x.x.x  agent-port 5001 send-proxy
6

accept-proxy does not belong in this configuration, like I said, you are not running the proxy protocol between SMTP clients and haproxy, so there does not belong any proxy configuration in the frontend sections of haproxy.

prx-postfix-587 appears to target the wrong port (25 instead of 587).

I’m not sure whether postfix requires version 2 of the proxy protocol. You may want to try send-proxy-v2 on the backend as a replacemente for send-proxy.

7

[quote=“Dav, post:5, topic:9688”]

frontend main-587

    bind x.x.x.x:587 accept-proxy

No it doesn’t

I modified the IP’s to protect them for this post in actuality they are port 587.

An thought of the warning.

8

Backend is correct in my actual configuration.
##############
I have tried both and V2 has a similar resulting error. Should be no difference right?

9

According to postfix documentation, proxy (v1) is supported since Postfix 2.10 and v2 since 3.5. So in your case it either way should be fine.

At this point it is unclear what is actually happening here.

10

Instead of postscreen try using smtpd in postfix configuration, to see if the error persists.