amavis behind haproxy

Discussion:

Vitali Quiering

2018-09-19 12:15:27 UTC

Hello,

I am planning to setup a clustered amavis setup with loadbalancing haproxy. There are approx. 80 standalone mailservers (postfix, dovecot) that will use the new amavis cluster.

I thought about the setup like this:
Postfix receives the mail and sends it (content-filter) to the haproxy on port 10024 which passes the tcp connection to one of the amavis servers on port 10024. After scanning amavis sends it back to postfix on port 10025.

I already got the forward_method, socket_bind and inet_acl setup correctly. The problem I’m facing now is the ip that amavis sees and wants to send the result to. This is the haproxy ip address which of course doesn’t work.

Is this possible at all?
Do I need amavisd-milter? If yes, why? What’s different besides before or after queue?

Thank you very much

Regards,
Vitali

Tom Sommer

2018-09-19 13:09:55 UTC

Permalink

Post by Vitali Quiering
I already got the forward_method, socket_bind and inet_acl setup
correctly. The problem I’m facing now is the ip that amavis sees and
wants to send the result to. This is the haproxy ip address which of
course doesn’t work.

The problem is, IIRC, that haproxy doesn't send XFORWARD - it sends its
own variant, supported by Postfix.

So AFIAK you need Postfix in front the preserve the IP.

You could in theory have postfix do the balancing between the multiple
amavis servers (content filters), with a randomized lookup table,
personally I just have a postfix in front of every amavis instance.

--
Tom

Vitali Quiering

2018-09-19 13:17:34 UTC

Permalink

Thank you very much Tom.

If a postfix (mta01.example.com <http://mta01.example.com/>, the actual mailserver) sends a mail to another postfix (mta02.example.com) that sends it to amavis (av.example.com), how can you send the scanned mail back to mta01.example.com <http://mta01.example.com/>?

Where do you loadbalance?

I am talking about up to 80 postfix instances that will send mail to mta02.example.com <http://mta02.example.com/>.

Regards,
Vitali

Post by Vitali Quiering
I already got the forward_method, socket_bind and inet_acl setup
correctly. The problem Iâm facing now is the ip that amavis sees and
wants to send the result to. This is the haproxy ip address which of
course doesnât work.

The problem is, IIRC, that haproxy doesn't send XFORWARD - it sends its own variant, supported by Postfix.
So AFIAK you need Postfix in front the preserve the IP.
You could in theory have postfix do the balancing between the multiple amavis servers (content filters), with a randomized lookup table, personally I just have a postfix in front of every amavis instance.
--
Tom

Dusan Obradovic

2018-09-19 19:08:23 UTC

Permalink

Post by Vitali Quiering
Do I need amavisd-milter? If yes, why? What’s different besides before or after queue?

Using Milters potentially solves your problem. Your receiving front-end Postfix talks smtpd_milters protocol over HAProxy TCP mode to load-balanced back-end Amavisd-milter hosts. Amavisd-milter talks AM.PDP protocol to Amavisd and does not need to re-inject scanned messages to Postfix.

Paolo Schiro

2018-09-20 05:26:18 UTC

Permalink

To overcome this I placed an haproxy istance on every postfix node handling config by puppet instead of having a dedicated haproxy node.But this on a smaller environment 6 postfix 10 amavis.

On a larger environment like you are describing you would better try milter first.
Milter sould also cut off returning traffic on port 10025.

-------- Messaggio originale --------Da: Vitali Quiering <***@quiering.com> Data: 19/09/18 14:15 (GMT+01:00) A: amavis-***@amavis.org Oggetto: amavis behind haproxy
Hello,

I am planning to setup a clustered amavis setup with loadbalancing haproxy. There are approx. 80 standalone mailservers (postfix, dovecot) that will use the new amavis cluster.

I thought about the setup like this:
Postfix receives the mail and sends it (content-filter) to the haproxy on port 10024 which passes the tcp connection to one of the amavis servers on port 10024. After scanning amavis sends it back to postfix on port 10025.

I already got the forward_method, socket_bind and inet_acl setup correctly. The problem Iâm facing now is the ip that amavis sees and wants to send the result to. This is the haproxy ip address which of course doesnât work.

Is this possible at all?
Do I need amavisd-milter? If yes, why? Whatâs different besides before or after queue?

Thank you very much

Regards,
Vitali

Tom Sommer

2018-10-09 18:28:54 UTC

Permalink

Post by Vitali Quiering
Postfix receives the mail and sends it (content-filter) to the haproxy
on port 10024 which passes the tcp connection to one of the amavis
servers on port 10024. After scanning amavis sends it back to postfix
on port 10025.

I just read the changelog, have you tried with $haproxy_target_enabled?

From the release-notes:

- Supports receiving SMTP/LMTP connections through a HAProxy,
recognizing 'PROXY protocol Version 1' data on the first line read,
after a connection from HAProxy to amavisd has been established.
Connection data (IP addresses and ports) received via this protocol
end up replacing such data in the the Amavis::In::Connection object
($conn). Set configuration variable $haproxy_target_enabled (also
a member of policy banks) to true in order to enable this protocol.

---
Tom

Vitali Quiering

2018-11-04 17:01:20 UTC

Permalink

Thank you very much, I am using the best of both worlds now, everything behind haproxy. Some server use pre-queue milter and some use content-filter smtp transport. Works like a charm.

Regards,
Vitali

Von meinem iPhone gesendet

Post by Tom Sommer

I just read the changelog, have you tried with $haproxy_target_enabled?
- Supports receiving SMTP/LMTP connections through a HAProxy,
recognizing 'PROXY protocol Version 1' data on the first line read,
after a connection from HAProxy to amavisd has been established.
Connection data (IP addresses and ports) received via this protocol
end up replacing such data in the the Amavis::In::Connection object
($conn). Set configuration variable $haproxy_target_enabled (also
a member of policy banks) to true in order to enable this protocol.
---
Tom