Dovecot behind Reverse Proxy and IP families

12 Oct 2023 · *fields, &local_ip) < 0 || 552 local_ip.family != family) { 553 e_error(hpconn->event, "Client disconnected: " 554 "Proxied local address is invalid " 555 "(address=`%s', rip=%s)", str_sanitize(*


      Dear all,
I am running Dovecot 2.3.20 in a Kubernetes cluster. The Dovecot
container is exposed behind a Traefik load-balancer, which acts just
like HAProxy would, using the Proxy Protocol in order to allow Dovecot
to be aware of the real source IP of the client, as follows:
Internet <-> Traefik load-balancer <---- Proxy protocol ----> Dovecot
My setup works well over IPv4.
Oct 12 19:11:33 imap-login: Info: Login: user=<arnaud@xxx>,
method=PLAIN, rip=<my_ipv4_public_address> lip=10.42.4.21, mpid=1369531,
session=<xxxx>
Howevever, if the client originates from an IPv6 address, Dovecot does
not seem to take the real IPv6 origin into account and fails.
Oct 12 19:09:04 imap-login: Error: haproxy(v1): Client disconnected:
Proxied local address is invalid (address=`10.42.4.21', rip=10.42.4.21)
A network capture shows that the proxy protocol indeed sends the real
IPv6 IP, that should be taken into account by dovecot:
......&.PROXY TCP6 2001:<rest_of_my_public_ip> 10.42.4.21 20200 993
The error seems to be raised in
"core/src/lib-master/master-service-haproxy.c" line 553:
551 if (net_addr2ip(*fields, &local_ip) < 0 ||
552                                 local_ip.family != family) {
553                                 e_error(hpconn->event, "Client
disconnected: "
554                                         "Proxied local address is
invalid "
555                                         "(address=`%s', rip=%s)",
str_sanitize(*fields, 64),
556 net_ip2addr(real_remote_ip));
557                                 return -1;
558                         }
559                         fields++;
I suppose that the issue is related to the fact that the client
originates from an IPv6 then the reverse proxy forwards the connection
to Dovecot over IPv4, which results in the "local_ip.family != family"
condition to be true.
Why is such a restriction implemented ?
It is to be noted that I implemented the exact same load-balancer
architecture for postfix, which successfully handles an IPv6 real IP
over an IPv4 connection.
I temporarily fixed the issue by setting an IPv4 only DNS record for my
imaps domain name, however, do you think that a fix could be implemented
in Dovecot?
Kind regards,
--
Arnaud Cordier
CryptID
Freelance cybersecurity engineer - Pentester - Red teamer
Tel: +33 (0)6 61 44 82 04

Arnaud Cordier

--

Arnaud Cordier

tags

participants (1)