ISPConfig 3.2 behind HAproxy (Postfix / Dovecot)

Discussion in 'Installation/Configuration' started by dvazart, Feb 10, 2021.

  1. dvazart

    dvazart New Member


    I'm running ISPConfig 3.2 behind HAproxy, everything is working good, but on Postfix and Dovecot the client IP (real IP) is not passing through.

    On HAproxy I just created a TCP listen like :
    listen ispconfig_mail
        mode tcp
        option tcplog
        server srv-mut-clients check port 25
    I know adding support to Proxy Protocol supported by HAproxy, Postfix and Dovecot is the solution to my problem but I want to know which is the proper way to do this (to be persistent on updates, etc).

    Any advice is welcome, thanks in advance.
  2. jisse44

    jisse44 New Member

    Rules are bad

    You must create frontend/backend for each service, AKA for imaps:

    ## IMAPS frontend
    frontend ft_imap
            mode tcp
            default_backend bk_imap
    ## IMAPS backend
    backend bk_imap
            mode tcp
            balance leastconn
            stick store-request src
            stick-table type ip size 200k expire 30m
            server send-proxy-v2
    Also please consider only secure services on mail server, avoid 143 and 110 ports
    ahrasis and Jesse Norell like this.
  3. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Your changes to dovecot/postfix will need to go in conf-custom files. Right now (3.2.2) that would require copying the corresponding templates (from the installer's install/tpl/ directory, into your local conf-custom/install/) and making your changes there - in the next release there will be a new conf-custom file you can put your additions in, which makes most changes a little easier because you don't have to track and merge changes to the entire main template for each.

    For specifics on creating conf-custom files, there's a lot of info in the forums here; the exact filenames to copy depend on what OS your running.

    Note ports 143 and 110 can both use TLS, so they aren't necessarily insecure if clients use TLS; you can even require it (ssl=required in dovecot config).
    ahrasis likes this.

Share This Page