haproxy + submission services -> postfix failure

Stephan Bosch stephan at rename-it.nl
Wed Apr 24 00:41:49 EEST 2019 


On 19/04/2019 19:58, Chris Thomas via dovecot wrote:
> Hi,
>
> I have a nginx server which is using the proxy protocol to forward tcp
> connections to dovecot. Dovecot is configured to be a submission
> service for email to be sent. Then postfix should send the email
> itself which is also using the ha proxy protocol. There are a few
> moving parts in this problem so I'm not sure where the problem is. But
> I want to ask if somebody can validate my dovecot configuration
> somehow so I can start to tick off some things from the list.
>
> Sending email fails, seems to get to postfix, then die
> Receiving emails succeeds and I don't have any problem to pick them up.
>
> I've figured out some stuff, like lmtp shouldn't use haproxy when
> talking between postfix -> dovecot for receiving emails. If I enable
> the protocol on lmtp, I can't receive any emails at all.
>
> In order to get postfix to accept emails, I enabled haproxy protocol
> and enabled postscreen and then postfix could access the source ip and
> stop my server from being an open relay.
>
> I've got tls certificates installed on dovecot and postfix, all
> created by letsencrypt and I don't appear to have any problems with
> them.
>
> I will try to give as much information about the config as I can, I'm
> not sure what other parts are good to have, but let me know if you are
> missing something or want to check a value.

You enabled haproxy both for nginx<->dovecot and dovecot<->postfix. 
Dovecot does not support haproxy for outgoing connections, so the latter 
wont work.

Regards,

Stephan.

>
>>> 10-master.conf:
> service submission-login {
>    inet_listener submission {
>      port = 587
>      haproxy = yes
>    }
> }
>
> service lmtp {
>    inet_listener lmtp {
>      port = 24
>      haproxy = no
>    }
> }
>
>
>>> 20-submission.conf
> submission_relay_host = postfix.mail-server
> submission_relay_port = 25
> submission_relay_ssl = starttls
> submission_relay_ssl_verify = yes
>
> Then because it might help to give the other side of the connection
> configuration for postfix, here is the relevant information:
>
>>> master.cf:
> smtp      inet  n       -       -       -       1       postscreen
> smtpd     pass  -       -       -       -       -       smtpd
>
>>> main.cf
> postscreen_upstream_proxy_protocol = haproxy
> postscreen_upstream_proxy_timeout = 10s
>
> That's it. I don't know what other information could be useful.
>
> There are some logs, they are like this (I've got logging turned on
> for pretty much every option I have:
>
> Dovecot logs:
>
> Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
> Added userdb setting: plugin/quota_rule=*:bytes=0
> Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
> Effective uid=8, gid=8, home=/mail/__DOMAIN_COM__/__USER__
> Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
> Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no,
> list=yes, subscriptions=yes
> location=maildir:/mail/__DOMAIN_COM__/__USER__
> Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
> maildir++: root=/mail/__DOMAIN_COM__/__USER__, index=, indexpvt=,
> control=, inbox=/mail/__DOMAIN_COM__/__USER__, alt=
> Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
> smtp-server: conn __IP_ADDR_1__:31217 [0]: Connection created
> Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
> smtp-client: conn postfix.mail-server:25 [0]: Connection created
> Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
> smtp-client: conn postfix.mail-server:25 [0]: Looking up IP address
> Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
> smtp-client: conn postfix.mail-server:25 [0]: DNS lookup successful;
> got 1 IPs
> Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
> smtp-client: conn postfix.mail-server:25 [0]: Connecting to
> 10.104.211.161:25
> Apr 19 17:54:47 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
> smtp-client: conn postfix.mail-server:25 [0]: Connected
> Apr 19 17:54:57 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
> smtp-client: conn postfix.mail-server:25 [0]: Received greeting from
> server: 421 4.3.2 No system resources
> Apr 19 17:54:57 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
> smtp-client: conn postfix.mail-server:25 [0]: Connection failed: 421
> 4.3.2 No system resources
> Apr 19 17:54:57 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Error:
> Failed to establish relay connection: 421 4.3.2 No system resources
> Apr 19 17:54:57 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
> smtp-client: conn postfix.mail-server:25 [0]: Disconnected
> Apr 19 17:54:57 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Info:
> Disconnect from __IP_ADDR_1__: Failed to establish relay connection
> in=0 out=22 (state=GREETING)
> Apr 19 17:54:57 submission(__EMAIL__)<497><KUGA0OWG8XlfW/Q8>: Debug:
> smtp-server: conn __IP_ADDR_1__:31217 [0]: Disconnected: Failed to
> establish relay connection
>
> Postfix Logs:
> postfix/postscreen[525]: warning: haproxy read: time limit exceeded
>
> If anybody could help out, I'd be grateful because I just can't see
> what the problem is.
>
> Chris

More information about the dovecot mailing list