haproxy + submission services -> postfix failure

Chris Thomas chris.alex.thomas at gmail.com
Fri Apr 19 20:58:35 EEST 2019 

Hi,

I have a nginx server which is using the proxy protocol to forward tcp
connections to dovecot. Dovecot is configured to be a submission
service for email to be sent. Then postfix should send the email
itself which is also using the ha proxy protocol. There are a few
moving parts in this problem so I'm not sure where the problem is. But
I want to ask if somebody can validate my dovecot configuration
somehow so I can start to tick off some things from the list.

Sending email fails, seems to get to postfix, then die
Receiving emails succeeds and I don't have any problem to pick them up.

I've figured out some stuff, like lmtp shouldn't use haproxy when
talking between postfix -> dovecot for receiving emails. If I enable
the protocol on lmtp, I can't receive any emails at all.

In order to get postfix to accept emails, I enabled haproxy protocol
and enabled postscreen and then postfix could access the source ip and
stop my server from being an open relay.

I've got tls certificates installed on dovecot and postfix, all
created by letsencrypt and I don't appear to have any problems with
them.

I will try to give as much information about the config as I can, I'm
not sure what other parts are good to have, but let me know if you are
missing something or want to check a value.

>> 10-master.conf:
service submission-login {
  inet_listener submission {
    port = 587
    haproxy = yes
  }
}

service lmtp {
  inet_listener lmtp {
    port = 24
    haproxy = no
  }
}


>> 20-submission.conf
submission_relay_host = postfix.mail-server
submission_relay_port = 25
submission_relay_ssl = starttls
submission_relay_ssl_verify = yes

Then because it might help to give the other side of the connection
configuration for postfix, here is the relevant information:

>> master.cf:
smtp      inet  n       -       -       -       1       postscreen
smtpd     pass  -       -       -       -       -       smtpd

>> main.cf

postscreen_upstream_proxy_protocol = haproxy
postscreen_upstream_proxy_timeout = 10s

That's it. I don't know what other information could be useful.

There are some logs, they are like this (I've got logging turned on
for pretty much every option I have:

Dovecot logs:

Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
Added userdb setting: plugin/quota_rule=*:bytes=0
Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
Effective uid=8, gid=8, home=/mail/__DOMAIN_COM__/__USER__
Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no,
list=yes, subscriptions=yes
location=maildir:/mail/__DOMAIN_COM__/__USER__
Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
maildir++: root=/mail/__DOMAIN_COM__/__USER__, index=, indexpvt=,
control=, inbox=/mail/__DOMAIN_COM__/__USER__, alt=
Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
smtp-server: conn __IP_ADDR_1__:31217 [0]: Connection created
Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
smtp-client: conn postfix.mail-server:25 [0]: Connection created
Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
smtp-client: conn postfix.mail-server:25 [0]: Looking up IP address
Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
smtp-client: conn postfix.mail-server:25 [0]: DNS lookup successful;
got 1 IPs
Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
smtp-client: conn postfix.mail-server:25 [0]: Connecting to
10.104.211.161:25
Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
smtp-client: conn postfix.mail-server:25 [0]: Connected
Apr 19 17:54:57 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
smtp-client: conn postfix.mail-server:25 [0]: Received greeting from
server: 421 4.3.2 No system resources
Apr 19 17:54:57 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
smtp-client: conn postfix.mail-server:25 [0]: Connection failed: 421
4.3.2 No system resources
Apr 19 17:54:57 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Error:
Failed to establish relay connection: 421 4.3.2 No system resources
Apr 19 17:54:57 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
smtp-client: conn postfix.mail-server:25 [0]: Disconnected
Apr 19 17:54:57 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Info:
Disconnect from __IP_ADDR_1__: Failed to establish relay connection
in=0 out=22 (state=GREETING)
Apr 19 17:54:57 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
smtp-server: conn __IP_ADDR_1__:31217 [0]: Disconnected: Failed to
establish relay connection

Postfix Logs:
postfix/postscreen[525]: warning: haproxy read: time limit exceeded

If anybody could help out, I'd be grateful because I just can't see
what the problem is.

Chris

More information about the dovecot mailing list