Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy

Sat, 15 Apr 2023 11:56:31 -0700 

On 15/04/2023 13:53, Jeremy Harris via Exim-users wrote:

On 15/04/2023 12:53, Sebastian Arcus via Exim-users wrote:
I have a number of Exim servers behind a NAT gateway (actually connected with vpn's to a cloud vps - but I'm hoping this is not relevant to this post). I would like the gateway to send incoming port 25 traffic to the correct Exim server based on SNI in incoming TLS packets - as different Exim instances serve different email domains. The setup would look like this: 

                       [Internet]
                           |
                           |
                     (smtp port 25)
                           |
                           v
                           |
                    [Cloud server]
                           |
                           v
                           |
        ----------------------------------------
        |                  |                   |
        |                  |                   |
[Exim server 1]    [Exim server 2]    [Exim server 3]



I would have preferred to do this at IP tables level - but apparently 
not really possible. It seems the next option would be HAProxy. Has 
anyone here used HAProxy or run a setup as above, or know if this is 
actually doable? Any suggestions much appreciated.





Exim does talk the inbound-proxy protocol tha HAProxy apparently uses 
(or can use):
https://exim.org/exim-html-current/doc/html/spec_html/ch-proxies.html#SECTproxyInbound 



I can't really help on other HAProxy facilities or config though.


Another option for you would be to use Exim itself as the fanout element 
at your
"cloud server".  It has visibility of the SNI and could use that for 
routing.



Thank you for the suggestions. I have considered using Exim itself as 
the "proxy" at the front. One thing I have to figure out is SPF in 
relation to Spamassassin. I think I would have to run Spamassassin on 
the "proxy" Exim, as otherwise the IP address of the proxy will be added 
to the headers during the delivery/relay process, and will probably 
break the SPF checks in Spamassassin on the final Exim server in the 
chain - I think?



Indeed, if the configurations needed for the "Exim server N" elements 
are sufficiently
similar and load & geography permits, you could collapse the lot into a 
single Exim.



I agree with you - except that there are some business / non-technical 
reasons why this is not possibility in this case.




--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/






















					Reply via email to