Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Issues using Postfix behind a load balancer

670 views
Skip to first unread message

Wietse Venema

unread,
Jan 7, 2015, 1:32:17 PM1/7/15
to
Brad Riemann:
> The issue, if you don't see it, is that postfix seems to be using
> the load balancer ip as the last hop, and because the load balancer
> is just pushing content through it is not recording the previous
> hop to the headers, which is causing some issues..

Postfix can get the client IP address from haproxy (uses haproxy
protocol, supported in postscreen and smtpd) and from nginx (uses
XCLIENT, supported in smtpd only).

The client IP address is needed to for access decisions and for
audit trail information (logging, headers, etc.).

If your load balancer can provide that information, then I can try
to add a driver to Postfix to use that information.

Wietse

Brad Riemann

unread,
Jan 7, 2015, 1:34:41 PM1/7/15
to
Thanks Wietse, I figured that was where I was at, but was hoping there were other options I hadn't uncovered..

Brad

Viktor Dukhovni

unread,
Jan 7, 2015, 1:37:29 PM1/7/15
to
On Wed, Jan 07, 2015 at 01:31:45PM -0500, Wietse Venema wrote:

> Brad Riemann:
> > The issue, if you don't see it, is that postfix seems to be using
> > the load balancer ip as the last hop, and because the load balancer
> > is just pushing content through it is not recording the previous
> > hop to the headers, which is causing some issues..
>
> Postfix can get the client IP address from haproxy (uses haproxy
> protocol, supported in postscreen and smtpd) and from nginx (uses
> XCLIENT, supported in smtpd only).
>
> The client IP address is needed to for access decisions and for
> audit trail information (logging, headers, etc.).
>
> If your load balancer can provide that information, then I can try
> to add a driver to Postfix to use that information.

With F5/A10 load balancers it is common to configure them to inject
XCLIENT commands into the SMTP stream and then splice in the real
client EHLO/HELO after returning the server's banner.

Some folks using these at present might post a suitable connection
script or point you at a HOWTO for same.

--
Viktor.

Brad Riemann

unread,
Jan 8, 2015, 9:16:17 AM1/8/15
to
Thanks Viktor, I think I did figure out how to do this, but am getting odd pipelining errors when we add the xclient and new ehlo/helo headers.

Jan 8 08:14:00 mta01 postfix/smtpd[16360]: connect from edge.dc1.domain.com[172.16.###.###]
Jan 8 08:14:00 mta01 postfix/smtpd[16360]: improper command pipelining after EHLO from edge.dc1.domain.com[172.16.###.###]: XCLIENT NAME=wsip-98-190-218-47.ga.at.cox.net ADDR=98.190.218.47\r\nEHLO wsip-98-190-218-47.ga.at.cox.

I'm not familiar with the pipelining error, I've done some searching and usually people have issues with it if the client doesn't disconnect at the end of the message, not at the top of the message.. Any thoughts?

Brad

-----Original Message-----
From: owner-pos...@postfix.org [mailto:owner-pos...@postfix.org] On Behalf Of Viktor Dukhovni
Sent: Wednesday, January 07, 2015 12:37 PM
To: postfi...@postfix.org
Subject: Re: Issues using Postfix behind a load balancer

Wietse Venema

unread,
Jan 8, 2015, 10:16:02 AM1/8/15
to
Brad Riemann:
> Thanks Viktor, I think I did figure out how to do this, but am
> getting odd pipelining errors when we add the xclient and new
> ehlo/helo headers.
>
> Jan 8 08:14:00 mta01 postfix/smtpd[16360]: connect from
> edge.dc1.domain.com[172.16.###.###]
> Jan 8 08:14:00 mta01 postfix/smtpd[16360]: improper command
> pipelining after EHLO from edge.dc1.domain.com[172.16.###.###]:
> XCLIENT NAME=wsip-98-190-218-47.ga.at.cox.net ADDR=98.190.218.47\r\nEHLO
> wsip-98-190-218-47.ga.at.cox.
>
> I'm not familiar with the pipelining error, I've done some searching
> and usually people have issues with it if the client doesn't
> disconnect at the end of the message, not at the top of the message..
> Any thoughts?

This suggests that the load balancer sends

EHLO something\r\nXCLIENT NAME=wsip-98-190-218-47.ga.at.cox.net ADDR=98.190.218.47\r\nEHLOwsip-98-190-218-47.ga.at.cox.net\r\n

I don't know what other people do, but you should be able
to send the XCLIENT command without preceding it with EHLO.
The "smtpd_helo_required" applies to MAIL and ETRN.

Wietse

Ram

unread,
Jan 9, 2015, 8:34:39 AM1/9/15
to
On 01/07/2015 10:40 PM, Brad Riemann wrote:

Hello!

 

First time caller, long time listener J.

 

I’ve been working on a new mail filtering solution for our company that revolves around the solution receiving inbound mail through a load balancer.

 

We have come upon an issue that I am not finding any sort of documentation or notes that others have experienced..

 

We are using a load balancer behind a nat, that distributes the inbound emails to a clustered mail scanning solution (we have been having issues with our current solution where the existing servers are overloaded, and this gives us the ability to plug and play new servers with zero dns adjustments..) Now, our load balancers hands off the message to the first available postfix server, we get headers that look like the following (after postfix picks it up).

 

--

Received: from batch.email.flyfrontier.com (edge1.dc1.domain.com [172.16.4.#])
     by mta02.dc1.domain.com (Postfix) with ESMTP id ###########
     for <us...@domain.com>; Wed, 7 Jan 2015 10:48:52 -0600 (CST)

--

 

The issue, if you don’t see it, is that postfix seems to be using the load balancer ip as the last hop, and because the load balancer is just pushing content through it is not recording the previous hop to the headers, which is causing some issues..


This seems to be a Firewall NAT issue. The Load balancer would add a HOP if it is on the application layer.
What is the load balancer you are using. We use LVS and we always get the IP of the smtp client machine on postfix, not the load balancer IP

Thanks
Ram
 


Brad Riemann

unread,
Jan 9, 2015, 10:40:29 AM1/9/15
to

Hi Ram,

 

We are using ZXTM (also known as Stingray), with the built in SMTP options from the load balancer (which really isn’t much..), everything im seeing in the config indicates it should be running and processing on the application layer, were there any settings on the F5 you had to adjust to indicate it was smtp traffic or was it just tcp by default?

 

Brad Riemann

Techpro, Inc

 

From: owner-pos...@postfix.org [mailto:owner-pos...@postfix.org] On Behalf Of Ram
Sent: Friday, January 09, 2015 7:34 AM
To: postfi...@postfix.org
Subject: Re: Issues using Postfix behind a load balancer

 

On 01/07/2015 10:40 PM, Brad Riemann wrote:

Viktor Dukhovni

unread,
Jan 9, 2015, 10:47:00 AM1/9/15
to
On Fri, Jan 09, 2015 at 07:04:13PM +0530, Ram wrote:

> This seems to be a Firewall NAT issue. The Load balancer would add a HOP if
> it is on the application layer.

That's wrong. Layer 4 devices don't add SMTP hops (Received:
headers, ...).

--
Viktor.

Wietse Venema

unread,
Jan 9, 2015, 10:54:17 AM1/9/15
to
Brad Riemann:
> Hi Ram,
>
> We are using ZXTM (also known as Stingray), with the built in SMTP
> options from the load balancer (which really isn't much..),
> everything im seeing in the config indicates it should be running
> and processing on the application layer, were there any settings
> on the F5 you had to adjust to indicate it was smtp traffic or was
> it just tcp by default?

Can you configure the load balancer to send

XCLIENT ...

instead of

EHLO something\r\nXCLIENT ...

That will avoid the complaint about pipelining after EHLO.

The pipelining check was added with Postfix 2.6, and it can't be
changed without Postfix source code modification.

Wietse

0 new messages