Dovecot behind Reverse Proxy and IP families

Thu, 12 Oct 2023 10:48:21 -0700 

Dear all,
I am running Dovecot 2.3.20 in a Kubernetes cluster. The Dovecot container is exposed behind a Traefik load-balancer, which acts just like HAProxy would, using the Proxy Protocol in order to allow Dovecot to be aware of the real source IP of the client, as follows: 

Internet <-> Traefik load-balancer <---- Proxy protocol ----> Dovecot

My setup works well over IPv4.


Oct 12 19:11:33 imap-login: Info: Login: user=<arnaud@xxx>, 
method=PLAIN, rip=<my_ipv4_public_address> lip=10.42.4.21, mpid=1369531, 
session=<xxxx>



Howevever, if the client originates from an IPv6 address, Dovecot does 
not seem to take the real IPv6 origin into account and fails.



Oct 12 19:09:04 imap-login: Error: haproxy(v1): Client disconnected: 
Proxied local address is invalid (address=`10.42.4.21', rip=10.42.4.21)



A network capture shows that the proxy protocol indeed sends the real 
IPv6 IP, that should be taken into account by dovecot:


......&.PROXY TCP6 2001:<rest_of_my_public_ip> 10.42.4.21 20200 993


The error seems to be raised in 
"core/src/lib-master/master-service-haproxy.c" line 553:


551 if (net_addr2ip(*fields, &local_ip) < 0 ||
552                                 local_ip.family != family) {

553                                 e_error(hpconn->event, "Client 
disconnected: "
554                                         "Proxied local address is 
invalid "
555                                         "(address=`%s', rip=%s)", 
str_sanitize(*fields, 64),

556 net_ip2addr(real_remote_ip));
557                                 return -1;
558                         }
559                         fields++;


I suppose that the issue is related to the fact that the client 
originates from an IPv6 then the reverse proxy forwards the connection 
to Dovecot over IPv4, which results in the "local_ip.family != family" 
condition to be true.


Why is such a restriction implemented ?


It is to be noted that I implemented the exact same load-balancer 
architecture for postfix, which successfully handles an IPv6 real IP 
over an IPv4 connection.



I temporarily fixed the issue by setting an IPv4 only DNS record for my 
imaps domain name, however, do you think that a fix could be implemented 
in Dovecot?


Kind regards,

--
---
Arnaud Cordier
---------------
CryptID
Freelance cybersecurity engineer - Pentester - Red teamer
Tel: +33 (0)6 61 44 82 04




Attachment:
OpenPGP_0xB09B2E1B5DDC756C.asc

Description: OpenPGP public key



Attachment:
OpenPGP_signature.asc

Description: OpenPGP digital signature


_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]






















					Reply via email to