New subject: Dovecot behind Reverse Proxy and IP families

18 Oct 2023 · *fields, &local_ip) < 0 || 552 local_ip.family != family) { 553 e_error(hpconn->event, "Client disconnected: " 554 "Proxied local address is invalid " 555 "(address=`%s', rip=%s)", str_sanitize(*

      On 10/13/23 06:55, Arnaud Cordier wrote:
...
Hi Justas,
Thank you for your answer. Unfortunately, I already have a dual stack
cluster with an IPv6 assigned to the pod:
3: eth0@if22:  mtu 1430 qdisc
noqueue state UP qlen 1000
link/ether c6:90:d2:cf:b8:77 brd ff:ff:ff:ff:ff:ff
inet 10.42.4.52/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fd23:23:42:0:251d:192a:bb7f:a1f4/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::c490:d2ff:fecf:b877/64 scope link
valid_lft forever preferred_lft forever
Any additional idea?

Arnaud Cordier
CryptID
Freelance cybersecurity engineer - Pentester - Red teamer
Tel: +33 (0)6 61 44 82 04
On 10/12/23 22:54, Justas Umbrasas wrote:
...
Hey,
we are running a similar setup without an issue (not on k8s). I
believe the reason is that the remote dovecot pod is only binding on
IPv4 and has no IPv6 configured. This is kind of a hack, however you
could try binding the pod to both IPv4 and IPv6 and see if it works.
Best,
Justas Umbrasas
On 2023-10-12 20:25, Arnaud Cordier via dovecot wrote:
...
Dear all,
I am running Dovecot 2.3.20 in a Kubernetes cluster. The Dovecot
container is exposed behind a Traefik load-balancer, which acts just
like HAProxy would, using the Proxy Protocol in order to allow
Dovecot to be aware of the real source IP of the client, as follows:
Internet <-> Traefik load-balancer <---- Proxy protocol ----> Dovecot
My setup works well over IPv4.
Oct 12 19:11:33 imap-login: Info: Login: user=arnaud@xxx,
method=PLAIN, rip= lip=10.42.4.21,
mpid=1369531, session=<xxxx>
Howevever, if the client originates from an IPv6 address, Dovecot
does not seem to take the real IPv6 origin into account and fails.
Oct 12 19:09:04 imap-login: Error: haproxy(v1): Client disconnected:
Proxied local address is invalid (address=`10.42.4.21', rip=10.42.4.21)
A network capture shows that the proxy protocol indeed sends the
real IPv6 IP, that should be taken into account by dovecot:
......&.PROXY TCP6 2001: 10.42.4.21 20200 993
The error seems to be raised in
"core/src/lib-master/master-service-haproxy.c" line 553:
551 if (net_addr2ip(*fields, &local_ip) < 0 ||
552                                 local_ip.family != family) {
553 e_error(hpconn->event, "Client disconnected: "
554                                         "Proxied local address
is invalid "
555                                         "(address=`%s',
rip=%s)", str_sanitize(*fields, 64),
556 net_ip2addr(real_remote_ip));
557                                 return -1;
558                         }
559                         fields++;
I suppose that the issue is related to the fact that the client
originates from an IPv6 then the reverse proxy forwards the
connection to Dovecot over IPv4, which results in the
"local_ip.family != family" condition to be true.
Why is such a restriction implemented ?
It is to be noted that I implemented the exact same load-balancer
architecture for postfix, which successfully handles an IPv6 real IP
over an IPv4 connection.
I temporarily fixed the issue by setting an IPv4 only DNS record for
my imaps domain name, however, do you think that a fix could be
implemented in Dovecot?
Kind regards,

dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.org
On 10/13/23 06:55, Arnaud Cordier wrote:
Hi Justas,
Thank you for your answer. Unfortunately, I already have a dual stack cluster
with an IPv6 assigned to the pod:
3: eth0@if22:  mtu 1430 qdisc noqueue
state UP qlen 1000
link/ether c6:90:d2:cf:b8:77 brd ff:ff:ff:ff:ff:ff
inet 10.42.4.52/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fd23:23:42:0:251d:192a:bb7f:a1f4/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::c490:d2ff:fecf:b877/64 scope link
valid_lft forever preferred_lft forever
Any additional idea?
Arnaud Cordier
CryptID
Freelance cybersecurity engineer - Pentester - Red teamer
Tel: +33 (0)6 61 44 82 04
On 10/12/23 22:54, Justas Umbrasas wrote:
Hey,
we are running a similar setup without an issue (not on k8s). I believe the
reason is that the remote dovecot pod is only binding on IPv4 and has no IPv6
configured. This is kind of a hack, however you could try binding the pod to
both IPv4 and IPv6 and see if it works.
Best,
Justas Umbrasas
On 2023-10-12 20:25, Arnaud Cordier via dovecot wrote:
Dear all,
 I am running Dovecot 2.3.20 in a Kubernetes cluster. The Dovecot
 container is exposed behind a Traefik load-balancer, which acts just
 like HAProxy would, using the Proxy Protocol in order to allow
 Dovecot to be aware of the real source IP of the client, as follows:

 Internet <-> Traefik load-balancer <---- Proxy protocol ----> Dovecot

 My setup works well over IPv4.

 Oct 12 19:11:33 imap-login: Info: Login: user=<arnaud@xxx>,
 method=PLAIN, rip=<my_ipv4_public_address> lip=10.42.4.21,
 mpid=1369531, session=<xxxx>

 Howevever, if the client originates from an IPv6 address, Dovecot
 does not seem to take the real IPv6 origin into account and fails.

 Oct 12 19:09:04 imap-login: Error: haproxy(v1): Client disconnected:
 Proxied local address is invalid (address=`10.42.4.21',
 rip=10.42.4.21)

 A network capture shows that the proxy protocol indeed sends the real
 IPv6 IP, that should be taken into account by dovecot:

 ......&.PROXY TCP6 2001:<rest_of_my_public_ip> 10.42.4.21 20200 993

 The error seems to be raised in "core/src/lib-master/master-service-
 haproxy.c" line 553:

 551 if (net_addr2ip(*fields, &local_ip) < 0 ||
 552                                 local_ip.family != family) {
 553                                 e_error(hpconn->event, "Client
 disconnected: "
 554                                         "Proxied local address is
 invalid "
 555                                         "(address=`%s', rip=%s)",
 str_sanitize(*fields, 64),
 556 net_ip2addr(real_remote_ip));
 557                                 return -1;
 558                         }
 559                         fields++;

 I suppose that the issue is related to the fact that the client
 originates from an IPv6 then the reverse proxy forwards the
 connection to Dovecot over IPv4, which results in the
 "local_ip.family != family" condition to be true.

 Why is such a restriction implemented ?

 It is to be noted that I implemented the exact same load-balancer
 architecture for postfix, which successfully handles an IPv6 real IP
 over an IPv4 connection.

 I temporarily fixed the issue by setting an IPv4 only DNS record for
 my imaps domain name, however, do you think that a fix could be
 implemented in Dovecot?

 Kind regards,

 _______________________________________________
 dovecot mailing list -- dovecot@dovecot.org
 To unsubscribe send an email to dovecot-leave@dovecot.org

Re: Dovecot behind Reverse Proxy and IP families

Arnaud Cordier

Arnaud Cordier

Arnaud Cordier

Willy Manga

tags

participants (2)