Mailcow-dockerized: Allow use of HAProxy for Dovecot

See https://github.com/mailcow/mailcow-dockerized/issues/829. Using a proxy in front of IMAP and SMTP sounds like a nice idea, but has some major side effects.

I've this configuration already running for some time. So what are the major side effects?
HAproxy can provide the real IP address of the clients to postfix and dovecot. Both support haproxy protocol. It should only configure correctly and in dovecot additional inet_listeners needs to be added with haproxy=yes. In postfix the following lines needs to be added in main.cf:
postscreen_upstream_proxy_protocol = haproxy
postscreen_upstream_proxy_timeout = 50s
proxy_interfaces=ip addresses of your haproxy
You should not set proxy protocol to smtpd as this is also used by mailcow internally. And postscreen is the external "entrance" for smtp traffic.
In the docker-compose.yml (better to override it with docker-compose.override.yml) you need to add the addtional ports for the additional inet_listeners. And also do not forget to open the firewall (if in use) for these extra ports on your host system.
Other webtraffic can be done as all other normal webservers and just enable the forward for option in haproxy.
Managesieve can just be simple tcp proxy through haproxy.

I wasn‘t aware of this kind of direct haproxy support. Does it only work for the SSL ports (465, 993, 995) or also for the TLS-optional ones (25, 587, 143, 110)?
If real IP addresses are passed through, even fail2ban would continue working.

Not passing the real IP to managesieve is a problem though: then it‘s not protected by fail2ban and an attacker can try out usernames and passwords endlessly.

It plays nice with proxy protocol. Im using it in some clustered setups. :)

Please post your changes to Dovecot and logs so people can help. :)

Am 05.04.2019 um 19:53 schrieb michelmayen notifications@github.com:

Hello,

I have the same problem with dovecot and haproxy.
I am already able to proxy the http/s (80 & 443) and smtp/s (25, 465, 587) flow through haproxy with the proxy protocol support, but I can't make it work with dovecot. When I follow the dovecot documentation (https://wiki2.dovecot.org/HAProxy), the container refuse to start.
I didn't found where the dovecot inet_listener are defined in the mailcow stack.
Someone can help ?

Regards,

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

Hello,
I have the same problem with dovecot.
I am already able to proxy the http/s (80 & 443) and smtp (25, 465, 587) with the proxy protocol but I can't make it work with the dovecot part. When I follow the dovecot documentation (https://wiki2.dovecot.org/HAProxy), the dovecot-mailcow container refuse to start (error 89).
I didn't found where the inet_listener are defined in the mailcow "stack".
Someone can help ?
Regards,

@andryyy the logs look like this :

2019-04-05 20:30:22,488 CRIT Set uid to user 0
2019-04-05 20:30:22,490 INFO supervisord started with pid 1
2019-04-05 20:30:23,492 INFO spawned: 'processes' with pid 86
2019-04-05 20:30:23,493 INFO spawned: 'cron' with pid 87
2019-04-05 20:30:23,494 INFO spawned: 'dovecot' with pid 88
2019-04-05 20:30:23,495 INFO spawned: 'syslog-ng' with pid 89
Apr 5 20:30:23 mail syslog-ng[89]: syslog-ng starting up; version='3.8.1'
2019-04-05 20:30:23,543 INFO exited: dovecot (exit status 89; not expected)
2019-04-05 20:30:24,544 INFO success: processes entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2019-04-05 20:30:24,544 INFO success: cron entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2019-04-05 20:30:24,545 INFO spawned: 'dovecot' with pid 94
2019-04-05 20:30:24,545 INFO success: syslog-ng entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2019-04-05 20:30:24,594 INFO exited: dovecot (exit status 89; not expected)
2019-04-05 20:30:26,598 INFO spawned: 'dovecot' with pid 96
2019-04-05 20:30:26,644 INFO exited: dovecot (exit status 89; not expected)
2019-04-05 20:30:29,649 INFO spawned: 'dovecot' with pid 98
2019-04-05 20:30:29,694 INFO exited: dovecot (exit status 89; not expected)
2019-04-05 20:30:29,694 INFO gave up: dovecot entered FATAL state, too many start retries too quickly
2019-04-05 20:30:30,696 WARN received SIGQUIT indicating exit request
2019-04-05 20:30:30,697 INFO waiting for cron, processes, syslog-ng to die
Apr 5 20:30:30 mail syslog-ng[89]: syslog-ng shutting down; version='3.8.1'
2019-04-05 20:30:30,799 INFO stopped: syslog-ng (exit status 0)
2019-04-05 20:30:31,801 INFO stopped: cron (terminated by SIGTERM)
2019-04-05 20:30:31,801 INFO stopped: processes (terminated by SIGTERM)
Uptime: 101514 Threads: 31 Questions: 167574 Slow queries: 0 Opens: 109 Flush tables: 1 Open tables: 99 Queries per second avg: 1.650
The user vmail' is already a member oftty'.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 97448 100 97448 0 0 573k 0 --:--:-- --:--:-- --:--:-- 576k
20_blatspammer.cf
70_HS_body.cf
70_HS_header.cf
2019-04-05 20:30:33,490 CRIT Set uid to user 0
2019-04-05 20:30:33,493 INFO supervisord started with pid 1
2019-04-05 20:30:34,495 INFO spawned: 'processes' with pid 86
2019-04-05 20:30:34,496 INFO spawned: 'cron' with pid 87
2019-04-05 20:30:34,497 INFO spawned: 'dovecot' with pid 88
2019-04-05 20:30:34,498 INFO spawned: 'syslog-ng' with pid 89
Apr 5 20:30:34 mail syslog-ng[89]: syslog-ng starting up; version='3.8.1'
2019-04-05 20:30:34,544 INFO exited: dovecot (exit status 89; not expected)
2019-04-05 20:30:35,545 INFO success: processes entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2019-04-05 20:30:35,545 INFO success: cron entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2019-04-05 20:30:35,546 INFO spawned: 'dovecot' with pid 94
2019-04-05 20:30:35,546 INFO success: syslog-ng entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2019-04-05 20:30:35,589 INFO exited: dovecot (exit status 89; not expected)
2019-04-05 20:30:37,592 INFO spawned: 'dovecot' with pid 96
2019-04-05 20:30:37,634 INFO exited: dovecot (exit status 89; not expected)
2019-04-05 20:30:40,639 INFO spawned: 'dovecot' with pid 98
2019-04-05 20:30:40,681 INFO exited: dovecot (exit status 89; not expected)
2019-04-05 20:30:41,682 INFO gave up: dovecot entered FATAL state, too many start retries too quickly
2019-04-05 20:30:42,685 WARN received SIGQUIT indicating exit request
2019-04-05 20:30:42,686 INFO waiting for cron, processes, syslog-ng to die
Apr 5 20:30:42 mail syslog-ng[89]: syslog-ng shutting down; version='3.8.1'
2019-04-05 20:30:42,788 INFO stopped: syslog-ng (exit status 0)

Thanks,

And the dovecot.conf change as follow :

service imap-login {
service_count = 1
process_limit = 10000
vsz_limit = 1G
user = dovenull
inet_listener imap-net {
port = 143
haproxy = yes
}
inet_listener imaps-net {
port = 993
haproxy = yes
ssl = yes
}
}
service pop3-login {
service_count = 1
vsz_limit = 1G
inet_listener pop3-net {
port = 110
haproxy = yes
}
inet_listener pop3s-net {
port = 995
haproxy = yes
ssl = yes
}
}

@hunter-nl Hi can you shine a light on how you've managed to get the smtpd to work with both haproxy and SOGo?

If I add the line smtpd_upstream_proxy_protocol = haproxy my external clients (that use IMAP + SMTPS) can send email, but then SOGo can't. Deleting that line get's SOGo to work but breaks external clients.

_edit_
For anyone wondering this, make sure you're not including send-proxy for 465 and 587

[Feature] Add HAProxy listeners and an example override file