Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. exim>
  3. users
haproxy smtps problem
exim-users at exim
Apr 16, 2021, 9:35 AM
Post #1 of 4 (273 views)
Permalink
Dear exim users,

I've installed exim4 on a Debian machine. This machine is not connected
directly to the Internet, but it goes through a vps server.

Incoming connections come from an haproxy on that vps server. I've been
able to route the incoming connections toward port 25. Now I need to
enable the authentication through port 465, but if I enable it on
haproxy, my exim server is not able to interpret the incoming message
and I see something like: "SMTP syntax error in "\026\003\001\001...."
on the exim log file.

Could you give me some hints to solve this problem please? Do you think
I can solve it with haproxy, or should I look for a different solution?

thanks

Ale



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: haproxy smtps problem [ In reply to ]
exim-users at exim
Apr 16, 2021, 1:09 PM
Post #2 of 4 (273 views)
Permalink
Ale via Exim-users <exim-users@exim.org> (Fr 16 Apr 2021 18:35:31 CEST):
> I've installed exim4 on a Debian machine. This machine is not connected
> directly to the Internet, but it goes through a vps server.
>
> Incoming connections come from an haproxy on that vps server. I've been able
> to route the incoming connections toward port 25. Now I need to enable the
> authentication through port 465, but if I enable it on haproxy, my exim
> server is not able to interpret the incoming message and I see something
> like: "SMTP syntax error in "\026\003\001\001...." on the exim log file.

- The "\026\…." *could* be the proxy v2 proxy header (not sure about the exact value)
- Do you send proxy headers? (send-proxy, or send-proxy-v2)
(proxy would start with "PROXY", v2 is binary only)
- Does Exim expect the proxy headers? (hosts_proxy = …)

I've a probably similar version running:

[haproxy]

listen mail
bind :993,:465
mode tcp
option tcplog

default-server send-proxy-v2 check verify none

option tcp-check

# check IMAPS
tcp-check connect port 993 ssl send-proxy
tcp-check expect rstring ^\*\sOK
tcp-check send x LOGOUT\r\n

# check SMTPS
tcp-check connect port 465 ssl send-proxy
tcp-check expect rstring ^220
tcp-check send QUIT\r\n
tcp-check expect rstring ^221

server a a.example.com
server b b.example.com

[exim]
...
hosts_proxy = x.x.x.x
daemon_smtp_ports = ... : 465
tls_on_connect_ports = 465


Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -

Attached Files:

Re: haproxy smtps problem [ In reply to ]
exim-users at exim
Apr 16, 2021, 3:02 PM
Post #3 of 4 (273 views)
Permalink
On Fri, Apr 16, 2021 at 10:09:37PM +0200, Heiko Schlittermann via Exim-users wrote:

> > Incoming connections come from an haproxy on that vps server. I've been able
> > to route the incoming connections toward port 25. Now I need to enable the
> > authentication through port 465, but if I enable it on haproxy, my exim
> > server is not able to interpret the incoming message and I see something
> > like: "SMTP syntax error in "\026\003\001\001...." on the exim log file.
>
> - The "\026\…." *could* be the proxy v2 proxy header (not sure about the exact value)

It isn't, it is a TLS client HELLO message. Possibilities:

- The proxy handling has already been done, and the issue
is that the SMTP server is not configured to do "implicit
TLS" on this port (expects STARTTLS).

- The proxy is not actually handling this port and raw
TLS is hitting the SMTP server when it is expecting
the proxy handshake.

My money is on the first variant (it says "SMTP syntax", not
"haproxy syntax" after all).

--
Viktor.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: haproxy smtps problem [ In reply to ]
exim-users at exim
Apr 16, 2021, 10:11 PM
Post #4 of 4 (273 views)
Permalink
Hi,

thank you all guys. The problem was indeed that I didn't properly
enabled tls on connect. I added just a macro on the exim*.localmacros
and I didn't notice that It didn't work. Now I've added
tls_on_connect_ports=465 on the main section and It's working.

Thanks again

cheers

Ale

On 17/04/21 00:02, Viktor Dukhovni via Exim-users wrote:
> On Fri, Apr 16, 2021 at 10:09:37PM +0200, Heiko Schlittermann via Exim-users wrote:
>
>>> Incoming connections come from an haproxy on that vps server. I've been able
>>> to route the incoming connections toward port 25. Now I need to enable the
>>> authentication through port 465, but if I enable it on haproxy, my exim
>>> server is not able to interpret the incoming message and I see something
>>> like: "SMTP syntax error in "\026\003\001\001...." on the exim log file.
>> - The "\026\…." *could* be the proxy v2 proxy header (not sure about the exact value)
> It isn't, it is a TLS client HELLO message. Possibilities:
>
> - The proxy handling has already been done, and the issue
> is that the SMTP server is not configured to do "implicit
> TLS" on this port (expects STARTTLS).
>
> - The proxy is not actually handling this port and raw
> TLS is hitting the SMTP server when it is expecting
> the proxy handshake.
>
> My money is on the first variant (it says "SMTP syntax", not
> "haproxy syntax" after all).
>

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal