Lately Postfix (since 2.10) implemented Proxy Protocol (http://www.postfix.org/postconf.5.html#smtpd_upstream_proxy_protocol). As I use Courier Imap and Postfix together I thougth it was worth a shot.
Taavi 5.06.2013 16:43, Jakob Bohm kirjutas: > On 6/5/2013 1:21 PM, Taavi Kald wrote: >> Hi, >> >> would be nice if Courier Imap server supported Proxy Protocol >> (http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt) > Interesting proposed protocol somehow not submitted as an internet > draft for proper standardization. > > In reading the document I note that the original proposer has tested > it against only one IMAP implementation, seen it fail and ignored the > issue. > > I also note that the protocol, as fundamentally designed, is never > going to work with any server whose layer 6 protocol parser code > cannot be changed (such as any previously shipped close source > products, such as those from MS and Apple). > > I also find that the protocol will be hard to implement in kernel or > hardware level proxies, such as the NAT features in the Linux and BSD > kernel, nor in similar high speed hardware implementations. > > Another specification flaw (but purely a specification issue) is that > the specification suggests that servers are set up with extra IP > addresses to receive proxied requests, plus extra firewall rules to > prevent direct Internet access to the redundant listens. This is an > extremely high overhead in a world with IPv4 exhaustion and protocol > stacks that make it exceedingly difficult to properly handle multiple > IP addresses (both Linux and NT fail miserably in this department). > Only as a vague note late in the specification does it even mention > the saner option of looking for proxy information only if the source > IP is that of the proxies used. > > Furthermore, the protocol has no extensibility, guaranteeing that it > is going to become obsolete sooner rather than later. > > On a general note, I think a better approach would be to use a parallel > channel (such as a variant of the IDENT protocol) or perhaps a new > IP option to provide the information, this way the proxy could provide > the information unconditionally and servers could obtain the information > using code outside their core, such as Apache modules, IIS plugins, CGI > scripts, Exim ACL rules etc. In fact, the information could be obtained > and processed in any code that has access to the source and destination > IP+port information of an open connection to the machine it runs on. > > >> I've been using load balanced Courier Imap servers behind HaProxy and >> all I can see in log files is ip address of my HaProxy load balancer. >> Woudn't matter that much if there weren't constant account hacking >> attempts. >> If Courier Imap server supported Proxy Protocol, at least I had a chance >> to block those hacker bots by ip. > As a more generally abuse tracing alternative, could I suggest that > courier be modified to log bothIP and port (remote AND local) and not > just the remote IP. This could then be correlated after the fact with > firewall and proxy logs to determine the true origin of connections. > > > Enjoy > > Jakob ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j _______________________________________________ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
