support reverse proxies other than haproxy#62
support reverse proxies other than haproxy#62MichaelSp wants to merge 6 commits intodocker-mailserver:masterfrom
Conversation
move `proxy_trusted_networks` from `haproxy` to `service` section since it's not only applicable for haproxy configuration. In my case, I'm running traefik as described in: https://docker-mailserver.github.io/docker-mailserver/edge/examples/tutorials/mailserver-behind-proxy/ Signed-off-by: Michael Sprauer <[email protected]>
Signed-off-by: Michael Sprauer <[email protected]>
|
Thanks @MichaelSp, this looks like a great addition! TBH, the only reason we originally went with HAProxy was its support for PROXY PROTOCOL, and at the time, Traefik could only do HTTP. I'm a big fan of Traefik!) Have you considered / tested PROXY PROTOCOL support in this PR? Thanks! |
|
Yes, I'm running the master branch since ~3 weeks in production now. And Yes, I'm using traefik. This branch includes:
So far no issues. |
|
Sorry for the delay here - to confirm, proxy protocol support is working, and the original source IP is being received / processed by postfix, spamassassin, etc? |
|
postfix and dovecot work just fine, I haven't check spamassassin etc. |
|
Thank you :) The important thing to check is that postfix records the original sender's IP, since it's required in the mail headers for spamassassin to do RBL-based filtering. You could just confirm by examining the headers of any email received by the platform. You'll know it's not working if all emails seem to come from Traefik's pod IPs :) |
|
Just confirmed it. I can see the real IP in |
|
@funkypenguin I observed another ~2month in prod without any issues. |
|
Gah. I just realized that my review comments from 2 months prior have been "pending" all this time, so you probably didn't see my question about testing rainloop.. completing the review now... |
funkypenguin
left a comment
funkypenguin
left a comment
There was a problem hiding this comment.
Just a question re testing for rainloop
| postfix-main.cf: | | ||
| {{/* Enable proxy protocol for postscreen / dovecot */}} | ||
| {{- if .Values.haproxy.enabled }} # Necessary to permit proxy protocol from haproxy to postscreen | ||
| {{- if or .Values.service.behind_proxy .Values.rainloop.enabled }} # Necessary to permit proxy protocol from haproxy to postscreen |
There was a problem hiding this comment.
I'm not understanding why we're testing for rainloop here?
There was a problem hiding this comment.
@MichaelSp can you remind me why we're testing for rainloop here?
There was a problem hiding this comment.
Ahh now you got me. I have no idea, I just did some search/replace. But I tried to find an answer. According to this doc you need to enable this for all reverse-proxy setups so that postscreen is able to identify the correct remote address.
And why the or? We have a reverse-proxy setup either explicitly defined Values.service.behind_proxy or implicitly via .Values.rainloop.enabled
# Conflicts: # charts/docker-mailserver/Chart.yaml # charts/docker-mailserver/README.md
|
Closing, but added a documentation ticket for Traefik. See docker-mailserver/docker-mailserver#3865 |
3 participants
move
proxy_trusted_networksfromhaproxytoservicesection since it's not only applicable for haproxy configuration.In my case, I'm running traefik as described in:
https://docker-mailserver.github.io/docker-mailserver/edge/examples/tutorials/mailserver-behind-proxy/