> On 31 May 2024, at 13:20, pat...@patpro.net wrote: > > Hello, > > Any sign of postfix 3.9 blacklisting HAproxy because of SMTP > errors/abuse/half-baked connections?
Not blacklisting as I understand it, but as HAproxy makes a connection to test if the service is up and then breaks the connection I always see this on both systems: On the postfix 3.9 instance May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: connect from router.rna.nl[192.168.2.2] May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: improper command pipelining after CONNECT from router.rna.nl[192.168.2.2]: QUIT\r\n May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: disconnect from router.rna.nl[192.168.2.2] commands=0/0 On the postfix 3.8.6 instance: May 25 22:02:16 snape submission_haproxy/smtpd[28756]: connect from router.rna.nl[192.168.2.2] May 25 22:02:16 snape submission_haproxy/smtpd[28756]: improper command pipelining after CONNECT from router.rna.nl[192.168.2.2]: QUIT\r\n May 25 22:02:16 snape submission_haproxy/smtpd[28756]: disconnect from router.rna.nl[192.168.2.2] quit=1 commands=1 And the test that HAproxy does if port 25 is up are identical too: On the postfix 3.9 instance May 26 05:39:29 hermione smtp_haproxy/postscreen[21786]: CONNECT from [192.168.2.2]:65535 to [192.168.2.2]:25 May 26 05:39:29 hermione smtp_haproxy/postscreen[21786]: ALLOWLISTED [192.168.2.2]:65535 May 26 05:39:29 hermione smtp/smtpd[21788]: connect from router.rna.nl[192.168.2.2] May 26 05:39:29 hermione smtp/smtpd[21788]: disconnect from router.rna.nl[192.168.2.2] quit=1 commands=1 On the postfix 3.8.6 instance: May 25 22:10:57 snape smtp_haproxy/postscreen[28766]: CONNECT from [192.168.2.2]:65535 to [192.168.2.2]:25 May 25 22:10:57 snape smtp_haproxy/postscreen[28766]: ALLOWLISTED [192.168.2.2]:65535 May 25 22:10:57 snape smtp/smtpd[28768]: connect from router.rna.nl[192.168.2.2] May 25 22:10:57 snape smtp/smtpd[28768]: disconnect from router.rna.nl[192.168.2.2] quit=1 commands=1 Actually, it looks like the response from postfix 3.9 has changed with respect to postfix 3.8.6 so in the HAproxy log I see 2024-05-23T01:28:29 Alert haproxy Server mail.rna.nl.990/hermione-990 is DOWN. 0 active and 1 backup servers left. Running on backup. 0 sessions active, 0 requeued, 0 remaining in queue. 2024-05-23T01:28:29 Notice haproxy Health check for server mail.rna.nl.990/hermione-990 failed, reason: Layer7 invalid response, info: "TCPCHK did not match content (regex) at step 2", check duration: 45ms, status: 0/2 DOWN. 2024-05-23T01:27:23 Notice haproxy Health check for backup server mail.rna.nl.991/snape-991 succeeded, reason: Layer7 check passed, code: 0, info: "(tcp-check)", check duration: 14ms, status: 3/3 UP. HAproxy is configured: It sends: "PROXY TCP4 192.168.2.2 192.168.2.2 65535 587\r\nQUIT\r\n" It expects a response that matches regex ^220 Now, weirdly enough, when I send "PROXY TCP4 192.168.2.2 192.168.2.2 65535 587" via nc both react the same: On the postfix 3.8.6 instance: root@hermione ~ # nc -v 192.168.2.125 990 Connection to 192.168.2.125 port 990 [tcp/ftps] succeeded! PROXY TCP4 192.168.2.2 192.168.2.2 65535 587 220 mail.rna.nl ^C On the postfix 3.9 instance root@hermione ~ # nc -v 192.168.2.86 990 Connection to 192.168.2.86 port 990 [tcp/ftps] succeeded! PROXY TCP4 192.168.2.2 192.168.2.2 65535 587 220 mail.rna.nl ^C Could it be that the immediate QUIT command in that health check is creating this problem on 3.9 because it is sent before 220 is received? G > > May 31, 2024 1:06 PM, "Gerben Wierda via Postfix-users" > <postfix-users@postfix.org > <mailto:postfix-users@postfix.org?to=%22gerben%20wierda%20via%20postfix-users%22%20%3cpostfix-us...@postfix.org%3E>> > wrote: > Hmm, I just noticed (all outgoing smtp was going to a backup server that > works) that one of my postfix instances cannot send mail (smtp doesn't work, > postscreen and smtpd work fine). > # submission (587) > submission inet n - n - - smtpd > -o smtpd_tls_security_level=encrypt > -o smtpd_sasl_auth_enable=yes > -o smtpd_tls_auth_only=yes > -o syslog_name=submission > 990 inet n - n - - smtpd > -o smtpd_tls_security_level=encrypt > -o smtpd_sasl_auth_enable=yes > -o smtpd_tls_auth_only=yes > -o syslog_name=submission_haproxy > -o smtpd_upstream_proxy_protocol=haproxy > The one that haproxy sees as down has been recently updated to postfix 3.9 > So, HAproxy sees smtpd as up on postfix 3.9 but it sees smtp as down. In > reality, both are up. > It probably started to behave this when I installed postfix 3.9 on one side, > though I cannot exclude that I updated HAproxy too, so I am not 100% certain. > What should I do? Revert to postfix 3.8? I rather not, I rather would upgrade > the other to 3.9 (but if I do that, I probably lose all smtp behind HAproxy > for now) > Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>, Mastodon > <https://newsie.social/@gctwnl>) > R&A IT Strategy <https://ea.rna.nl/> (main site) > Book: Chess and the Art of Enterprise Architecture > <https://ea.rna.nl/the-book/> > Book: Mastering ArchiMate <https://ea.rna.nl/the-book-edition-iii/> > YouTube Channel <http://www.youtube.com/@GerbenWierda> >
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
