I have a working Haproxy load balancer configure with postfix.
Mode: tcp
Haproxy version: 2.4.22
Postfix version: 3.5.8-7
I want to forward the client IP to postfix using the proxy protocols. So the client ip appears in the mail log and not haproxies.
I have added accept-proxy to the frontend bind.
I have added send-proxy to each backend node.
I have added the postfix main.cf with postscreen_upstream_proxy_protocol = haproxy
I have enabled postscreen in postfix master.cf and restarted both haproxy and postfix.
This is probably wrong, if it is the frontend your external clients connect to; the proxy protocol is used between haproxy and postfix but not between the clients and haproxy and postfix.
I don’t know if that is the only issue. You’d have to post the full config to be sure.
Yes that is how I have it setup. I may not of been clear, it is a standard proxy setup for postfix. It works fine but in the mail log shows the proxies IP and not the clients IP. I understand the proxy protocol is between haproxy and postfix.
The only changes I make are what I posted in haproxy.cfg and postfix main/master.cf.
accept-proxy does not belong in this configuration, like I said, you are not running the proxy protocol between SMTP clients and haproxy, so there does not belong any proxy configuration in the frontend sections of haproxy.
prx-postfix-587 appears to target the wrong port (25 instead of 587).
I’m not sure whether postfix requires version 2 of the proxy protocol. You may want to try send-proxy-v2 on the backend as a replacemente for send-proxy.
Maybe start with the error, unrecognized protocol in this case postscreen isn’t able to read the protocol correctly…my guess. This I suspect should be the actual IP for the client and haproxy along with some other info. Why XXXX.
“header: XXXXX TCP4 “haproxy ip” “client ip” 48024 25\r\n”
After a month of troubleshooting and trying to determine what the message meant. I found that when in TCP mode and using check in the backend to send to postfix. Postfix doesn’t understand the “check” from haproxy. Seems that HaProxy check is sending the wrong format or a format that Postfix doesn’t understand. Removing the “check” from the backend cfg resolves the error. In the postfix log I can then see the correct client connect and no error as above. My workaround is to use agent-check which is not preferable but should work
HaProxy server example 192.168.222.222:2525 weight 3 check port 2525 fall 3 rise 3 send-proxy
Postfix master.cf
2525 inet n - n - - smtpd
-o smtpd_upstream_proxy_protocol=haproxy
We have choose to listen proxied connections on a different port (2525 rather than 25) to be possible to have different configurations if needed on default 25 and custom 2525 ports.
But at this moment we only have the smtpd_upstream_proxy_protocol configured differently; no config on 25 and haproxy config on 2525.