Hi,
On Tue, Jan 08, 2008 at 12:05:43PM -0800, Michael Nguyen wrote:
> So, I've recently moved to using HAProxy as a load balancer, but I've
> run into an issue with SMTP. I have the following:
>
> HAProxy --> Many SMTP servers (front-end MX servers)
>
> The problem here comes with SPF and RBL checks. The SMTP servers only
> see the IP address of the HAProxy load balancer and thus my SPF and RBL
> checks will never work. Those of you who use HAProxy for SMTP traffic,
> what route do you take to solve this?
This is a known limitation with proxies. To solve this, under Linux it is possible to apply the CTTPROXY patch to the kernel (from balabit.com) and build haproxy with USE_CTTPROXY=1. Using this, you will then have access to a new option "usesrc clientip" which will present the client's address to the servers by performing NAT in the kernel. Of course, for this you will have to configure your mail servers to route through haproxy for the responses to be NATed back.
I've always wondered why SPF and RBL checks only apply to client's IP address. If those could apply to headers forwarded by intermediate proxies or relays, it should not be too hard to add an SMTP mode in haproxy to just add the client's IP address in a "received" header, just like what is done with the X-Forwarded-For header.
Regards,
Willy
Received on 2008/01/09 10:17
This archive was generated by hypermail 2.2.0 : 2008/01/09 10:30 CET