Mailing List Archive

proxy protocol and smtp_reserve_hosts etc.pp.
I run an outbound gateway (4 nodes) behind a F5 which shall (sic) be
relocated into a diffrent network and the new LB can't preserve the senders
IP but can do proxy protocol...

Currently I do use smtp_accept_reserve / smtp_reserve_hosts to ensure
the top sending ips get a free slot and helo_accept_junk_hosts for a few
IPs ...

I guess those must be reworked as well as black-listing per IP in
acl_check_connect and rate-limiting in acl_check_rcpt?

Thanks for any hints,
urs

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: proxy protocol and smtp_reserve_hosts etc.pp. [ In reply to ]
On 11/10/2022 13:26, Urs Janßen via Exim-users wrote:
> I run an outbound gateway (4 nodes) behind a F5 which shall (sic) be
> relocated into a diffrent network and the new LB can't preserve the senders
> IP but can do proxy protocol...
>
> Currently I do use smtp_accept_reserve / smtp_reserve_hosts to ensure
> the top sending ips get a free slot and helo_accept_junk_hosts for a few
> IPs ...
>
> I guess those must be reworked as well as black-listing per IP in
> acl_check_connect and rate-limiting in acl_check_rcpt?

All of the notions of the sender's IP should automatically use the one
that the proxy tells us by using Proxy Protocol. So, no.
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: proxy protocol and smtp_reserve_hosts etc.pp. [ In reply to ]
On Tue, Oct 11, 2022 at 01:44:50PM +0100, Jeremy Harris via Exim-users wrote:
> > Currently I do use smtp_accept_reserve / smtp_reserve_hosts to ensure
> > the top sending ips get a free slot and helo_accept_junk_hosts for a few
> > IPs ...
[...]
> All of the notions of the sender's IP should automatically use the one
> that the proxy tells us by using Proxy Protocol. So, no.

I finally managed to test the proxy setup:

All except helo_accept_junk_hosts works well.

helo_accept_junk_hosts just sees the outgoing ip of the proxy (not really an
issue in our setup).

Thnaks

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/