PROXY protocol
Nikolaos Milas
nmilas at noa.gr
Fri Aug 21 11:31:33 UTC 2015
On 20/8/2015 11:09 μμ, Nikolaos Milas wrote:
> As soon as I manage to re-build Dovecot with the latest snapshot, I'll
> test it!
Hello,
I've built dovecot with a today snapshot from hg
(dovecot-2-2-9f815e781beb) and I am trying to enable haproxy.
I configured as follows (lines added compared to initial config are
marked with +):
+ haproxy_trusted_networks = 62.217.xxx.xxx/29, 2001:648:xxx:xxx::/64
service auth {
+ inet_listener {
+ haproxy = yes
+ }
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener auth-master {
group = vmail
mode = 0660
user = vmail
}
user = root
}
service imap-login {
service_count = 1
vsz_limit = 128 M
}
service pop3-login {
service_count = 1
vsz_limit = 128 M
}
Dovecot starts OK and accepts connections successfully as usual, but
when I add the 'send-proxy' directive on haproxy server nodes (in
haproxy.cfg), clients cannot login.
With pop3s, imaps, I get errors of the form:
Aug 21 13:30:04 vdev dovecot: pop3-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip={haproxy-server-ip-address},
lip={local-dovecot-server-ip-address}, TLS handshaking: SSL_accept()
failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol, session=<m1tAwM8dDQA+2XwE>
Aug 21 13:30:14 vdev dovecot: imap-login: Disconnected (disconnected
before auth was ready, waited 0 secs): user=<>,
rip={haproxy-server-ip-address}, lip={local-dovecot-server-ip-address},
TLS handshaking: SSL_accept() failed: error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<PCjXwM8degA+2XwE>
Aug 21 13:30:15 vdev dovecot: imap-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip={haproxy-server-ip-address},
lip={local-dovecot-server-ip-address}, TLS handshaking: SSL_accept()
failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol, session=<MeTtwM8dfAA+2XwE>
With pop3, imap, I get failed auth messages:
Aug 21 14:18:12 vdev dovecot: pop3-login: Disconnected (auth failed, 1
attempts in 14 secs): user=<tester>, method=PLAIN, rip=62.217.124.4,
lip=195.251.204.232, session=<h2yOa9AdKQA+2XwE>
Aug 21 14:20:33 vdev dovecot: auth:
plain(?,{haproxy-server-ip-address},<r2/KdNAdYQA+2XwE>): Invalid base64
data in continued response
Aug 21 14:20:38 vdev dovecot: auth:
plain(?,{haproxy-server-ip-address},<f8AZddAdZwA+2XwE>): Invalid base64
data in continued response
Aug 21 14:20:38 vdev dovecot: imap-login: Disconnected (auth failed, 1
attempts in 0 secs): user=<>, method=PLAIN,
rip={haproxy-server-ip-address}, lip={local-dovecot-server-ip-address},
session=<f8AZddAdZwA+2XwE>
Note: I have replaced real IP addresses with {haproxy-server-ip-address}
and {local-dovecot-server-ip-address}.
Should I configure things differently?
Please advise.
Thanks,
Nick
More information about the dovecot
mailing list