On 2023-04-15, Sebastian Arcus via Exim-users <exim-users@exim.org> wrote: > On 15/04/2023 13:53, Jeremy Harris via Exim-users wrote: >> On 15/04/2023 12:53, Sebastian Arcus via Exim-users wrote: >>> I have a number of Exim servers behind a NAT gateway (actually >>> connected with vpn's to a cloud vps - but I'm hoping this is not >>> relevant to this post). I would like the gateway to send incoming port >>> 25 traffic to the correct Exim server based on SNI in incoming TLS >>> packets - as different Exim instances serve different email domains. >>> The setup would look like this: >>> >>> [Internet] >>> | >>> | >>> (smtp port 25) >>> | >>> v >>> | >>> [Cloud server] >>> | >>> v >>> | >>> ---------------------------------------- >>> | | | >>> | | | >>> [Exim server 1] [Exim server 2] [Exim server 3] >>> >>> >>> I would have preferred to do this at IP tables level - but apparently >>> not really possible. It seems the next option would be HAProxy. Has >>> anyone here used HAProxy or run a setup as above, or know if this is >>> actually doable? Any suggestions much appreciated. >>> >> >> Exim does talk the inbound-proxy protocol tha HAProxy apparently uses >> (or can use): >> https://exim.org/exim-html-current/doc/html/spec_html/ch-proxies.html#SECTproxyInbound >> >> >> >> I can't really help on other HAProxy facilities or config though. >> >> Another option for you would be to use Exim itself as the fanout element >> at your >> "cloud server". It has visibility of the SNI and could use that for >> routing. > > Thank you for the suggestions. I have considered using Exim itself as > the "proxy" at the front. One thing I have to figure out is SPF in > relation to Spamassassin. I think I would have to run Spamassassin on > the "proxy" Exim, as otherwise the IP address of the proxy will be added > to the headers during the delivery/relay process, and will probably > break the SPF checks in Spamassassin on the final Exim server in the > chain - I think?
I think you're right exim supports HAPROXY and in the coming release XCLIENT but (so far as I know), in both cases, only as an end point not as an originator. The solution to this may be ARC where the first exim checks the SPF and DKIM and adds a header saying if they are good or not. -- Jasen. 🇺🇦 Слава Україні -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/