Hello, I'm running ISPConfig 3.2 behind HAproxy, everything is working good, but on Postfix and Dovecot the client IP (real IP) is not passing through. On HAproxy I just created a TCP listen like : Code: listen ispconfig_mail mode tcp option tcplog bind 195.214.228.xxx:25 bind 195.214.228.xxx:587 bind 195.214.228.xxx:110 bind 195.214.228.xxx:143 bind 195.214.228.xxx:993 bind 195.214.228.xxx:995 server srv-mut-clients 192.168.xxx.xxx check port 25 I know adding support to Proxy Protocol supported by HAproxy, Postfix and Dovecot is the solution to my problem but I want to know which is the proper way to do this (to be persistent on updates, etc). Any advice is welcome, thanks in advance.
Hi, Rules are bad You must create frontend/backend for each service, AKA for imaps: Code: ## IMAPS frontend frontend ft_imap bind 195.214.228.xxx:993 mode tcp default_backend bk_imap ## IMAPS backend backend bk_imap mode tcp balance leastconn stick store-request src stick-table type ip size 200k expire 30m server 192.168.xxx.xxx:993 send-proxy-v2 Also please consider only secure services on mail server, avoid 143 and 110 ports
Your changes to dovecot/postfix will need to go in conf-custom files. Right now (3.2.2) that would require copying the corresponding templates (from the installer's install/tpl/ directory, into your local conf-custom/install/) and making your changes there - in the next release there will be a new conf-custom file you can put your additions in, which makes most changes a little easier because you don't have to track and merge changes to the entire main template for each. For specifics on creating conf-custom files, there's a lot of info in the forums here; the exact filenames to copy depend on what OS your running. Note ports 143 and 110 can both use TLS, so they aren't necessarily insecure if clients use TLS; you can even require it (ssl=required in dovecot config).