Mailing List Archive

On 15/04/2023 12:53, Sebastian Arcus via Exim-users wrote:
> I have a number of Exim servers behind a NAT gateway (actually connected with vpn's to a cloud vps - but I'm hoping this is not relevant to this post). I would like the gateway to send incoming port 25 traffic to the correct Exim server based on SNI in incoming TLS packets - as different Exim instances serve different email domains. The setup would look like this:
>
>                       [Internet]
>                           |
>                           |
>                     (smtp port 25)
>                           |
>                           v
>                           |
>                    [Cloud server]
>                           |
>                           v
>                           |
>        ----------------------------------------
>        |                  |                   |
>        |                  |                   |
> [Exim server 1]    [Exim server 2]    [Exim server 3]
>
>
> I would have preferred to do this at IP tables level - but apparently not really possible. It seems the next option would be HAProxy. Has anyone here used HAProxy or run a setup as above, or know if this is actually doable? Any suggestions much appreciated.
>

Exim does talk the inbound-proxy protocol tha HAProxy apparently uses (or can use):
https://exim.org/exim-html-current/doc/html/spec_html/ch-proxies.html#SECTproxyInbound

I can't really help on other HAProxy facilities or config though.

Another option for you would be to use Exim itself as the fanout element at your
"cloud server". It has visibility of the SNI and could use that for routing.
Indeed, if the configurations needed for the "Exim server N" elements are sufficiently
similar and load & geography permits, you could collapse the lot into a single Exim.
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Sat, Apr 15, 2023 at 12:53:54PM +0100, Sebastian Arcus via Exim-users wrote:
> I have a number of Exim servers behind a NAT gateway (actually connected
> with vpn's to a cloud vps - but I'm hoping this is not relevant to this
> post). I would like the gateway to send incoming port 25 traffic to the
> correct Exim server based on SNI in incoming TLS packets - as different Exim
> instances serve different email domains. The setup would look like this:
>
> [Internet]
> |
> |
> (smtp port 25)
> |
> v
> |
> [Cloud server]
> |
> v
> |
> ----------------------------------------
> | | |
> | | |
> [Exim server 1] [Exim server 2] [Exim server 3]
>
>
> I would have preferred to do this at IP tables level - but apparently not
> really possible.

Well, iptables is not good tool for this, because it operates on OSI levels
3+4, while SNI is on the level 5. Iptables should select backend IP on the
SYN packet, but SNI comes later.

For your conditions problem is even more complex, because port 25 is for
plain SMTP, but SNI can be passed after STARTTLS only. So load balancer
should start plain SMTP session, do full dialog until client switches
to TLS, and check whether client supply SNI during handshake. Note that
SNI may be absent, this situation should be also processed carefully.

> It seems the next option would be HAProxy. Has anyone here
> used HAProxy or run a setup as above, or know if this is actually doable?

Your scheme is theoretically possible, but I doubt it can be easily
realized with generally used Haproxy or Nginx.

My question is: why do you want to use so complicated scheme, while it's
very simple task to set up a farm of Exim servers, each operating for
several mail domains, with iptables-based balancer in front of them?
--
Eugene Berdnikov

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

I believe you are trying to use the same IP address for the 3 exim
instances, otherwise the solution would be quite simple binding each
instance to the proper IP address. Right? Or do you have 3 different
public IP addresses?

If you have only 1 public IP, does a solution forwarding to a subdomain
via system_aliases+dsearch+local_parts+cron job updating user list,
would satisfy?

example:

adam@company1.com -> adam@internal.company1.com
eve@company1.com -> eve@internal.company1.com
keyser@business2.com -> keyser@internal.business2.com
soze@designer3.com -> soze@internal.designer3.com
contact@designer3.com -> contact@internal.designer3.com

--

On 2023-04-15 11:53, Sebastian Arcus via Exim-users wrote:
> I have a number of Exim servers behind a NAT gateway (actually
> connected with vpn's to a cloud vps - but I'm hoping this is not
> relevant to this post). I would like the gateway to send incoming port
> 25 traffic to the correct Exim server based on SNI in incoming TLS
> packets - as different Exim instances serve different email domains.
> The setup would look like this:
>
> [Internet]
> |
> |
> (smtp port 25)
> |
> v
> |
> [Cloud server]
> |
> v
> |
> ----------------------------------------
> | | |
> | | |
> [Exim server 1] [Exim server 2] [Exim server 3]
>
>
> I would have preferred to do this at IP tables level - but apparently
> not really possible. It seems the next option would be HAProxy. Has
> anyone here used HAProxy or run a setup as above, or know if this is
> actually doable? Any suggestions much appreciated.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 15/04/2023 13:53, Jeremy Harris via Exim-users wrote:
> On 15/04/2023 12:53, Sebastian Arcus via Exim-users wrote:
>> I have a number of Exim servers behind a NAT gateway (actually
>> connected with vpn's to a cloud vps - but I'm hoping this is not
>> relevant to this post). I would like the gateway to send incoming port
>> 25 traffic to the correct Exim server based on SNI in incoming TLS
>> packets - as different Exim instances serve different email domains.
>> The setup would look like this:
>>
>>                        [Internet]
>>                            |
>>                            |
>>                      (smtp port 25)
>>                            |
>>                            v
>>                            |
>>                     [Cloud server]
>>                            |
>>                            v
>>                            |
>>         ----------------------------------------
>>         |                  |                   |
>>         |                  |                   |
>> [Exim server 1]    [Exim server 2]    [Exim server 3]
>>
>>
>> I would have preferred to do this at IP tables level - but apparently
>> not really possible. It seems the next option would be HAProxy. Has
>> anyone here used HAProxy or run a setup as above, or know if this is
>> actually doable? Any suggestions much appreciated.
>>
>
> Exim does talk the inbound-proxy protocol tha HAProxy apparently uses
> (or can use):
> https://exim.org/exim-html-current/doc/html/spec_html/ch-proxies.html#SECTproxyInbound
>
>
> I can't really help on other HAProxy facilities or config though.
>
> Another option for you would be to use Exim itself as the fanout element
> at your
> "cloud server".  It has visibility of the SNI and could use that for
> routing.

Thank you for the suggestions. I have considered using Exim itself as
the "proxy" at the front. One thing I have to figure out is SPF in
relation to Spamassassin. I think I would have to run Spamassassin on
the "proxy" Exim, as otherwise the IP address of the proxy will be added
to the headers during the delivery/relay process, and will probably
break the SPF checks in Spamassassin on the final Exim server in the
chain - I think?

> Indeed, if the configurations needed for the "Exim server N" elements
> are sufficiently
> similar and load & geography permits, you could collapse the lot into a
> single Exim.

I agree with you - except that there are some business / non-technical
reasons why this is not possibility in this case.



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 15/04/2023 16:46, Evgeniy Berdnikov via Exim-users wrote:
> On Sat, Apr 15, 2023 at 12:53:54PM +0100, Sebastian Arcus via Exim-users wrote:
>> I have a number of Exim servers behind a NAT gateway (actually connected
>> with vpn's to a cloud vps - but I'm hoping this is not relevant to this
>> post). I would like the gateway to send incoming port 25 traffic to the
>> correct Exim server based on SNI in incoming TLS packets - as different Exim
>> instances serve different email domains. The setup would look like this:
>>
>> [Internet]
>> |
>> |
>> (smtp port 25)
>> |
>> v
>> |
>> [Cloud server]
>> |
>> v
>> |
>> ----------------------------------------
>> | | |
>> | | |
>> [Exim server 1] [Exim server 2] [Exim server 3]
>>
>>
>> I would have preferred to do this at IP tables level - but apparently not
>> really possible.
>
> Well, iptables is not good tool for this, because it operates on OSI levels
> 3+4, while SNI is on the level 5. Iptables should select backend IP on the
> SYN packet, but SNI comes later.
>
> For your conditions problem is even more complex, because port 25 is for
> plain SMTP, but SNI can be passed after STARTTLS only. So load balancer
> should start plain SMTP session, do full dialog until client switches
> to TLS, and check whether client supply SNI during handshake. Note that
> SNI may be absent, this situation should be also processed carefully.
>
>> It seems the next option would be HAProxy. Has anyone here
>> used HAProxy or run a setup as above, or know if this is actually doable?
>
> Your scheme is theoretically possible, but I doubt it can be easily
> realized with generally used Haproxy or Nginx.
>
> My question is: why do you want to use so complicated scheme, while it's
> very simple task to set up a farm of Exim servers, each operating for
> several mail domains, with iptables-based balancer in front of them?

Would this be possible with different servers covering different email
domains? These servers belong to different organisations - hence why
each one hosts different domains.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 15/04/2023 17:00, Fabio Martins wrote:
> I believe you are trying to use the same IP address for the 3 exim
> instances, otherwise the solution would be quite simple binding each
> instance to the proper IP address. Right? Or do you have 3 different
> public IP addresses?

That's correct - there is only one IP address on the VPS/proxy - which
needs to serve all the Exim servers behind

>
> If you have only 1 public IP, does a solution forwarding to a subdomain
> via system_aliases+dsearch+local_parts+cron job updating user list,
> would satisfy?
>
> example:
>
> adam@company1.com -> adam@internal.company1.com
> eve@company1.com -> eve@internal.company1.com
> keyser@business2.com -> keyser@internal.business2.com
> soze@designer3.com -> soze@internal.designer3.com
> contact@designer3.com -> contact@internal.designer3.com

I can't say that I am really following what you are trying to suggest -
but I don't think having emails on subdomains would help with my problem


>
> --
>
> On 2023-04-15 11:53, Sebastian Arcus via Exim-users wrote:
>> I have a number of Exim servers behind a NAT gateway (actually
>> connected with vpn's to a cloud vps - but I'm hoping this is not
>> relevant to this post). I would like the gateway to send incoming port
>> 25 traffic to the correct Exim server based on SNI in incoming TLS
>> packets - as different Exim instances serve different email domains.
>> The setup would look like this:
>>
>>                       [Internet]
>>                           |
>>                           |
>>                     (smtp port 25)
>>                           |
>>                           v
>>                           |
>>                    [Cloud server]
>>                           |
>>                           v
>>                           |
>>        ----------------------------------------
>>        |                  |                   |
>>        |                  |                   |
>> [Exim server 1]    [Exim server 2]    [Exim server 3]
>>
>>
>> I would have preferred to do this at IP tables level - but apparently
>> not really possible. It seems the next option would be HAProxy. Has
>> anyone here used HAProxy or run a setup as above, or know if this is
>> actually doable? Any suggestions much appreciated.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Sat, 15 Apr 2023, Sebastian Arcus via Exim-users wrote:

> I have a number of Exim servers behind a NAT gateway (actually connected with
> vpn's to a cloud vps - but I'm hoping this is not relevant to this post). I
> would like the gateway to send incoming port 25 traffic to the correct Exim
> server based on SNI in incoming TLS packets - as different Exim instances
> serve different email domains. The setup would look like this:
>
> [Internet]
> |
> |
> (smtp port 25)
> |
> v
> |
> [Cloud server]
> |
> v
> |
> ----------------------------------------
> | | |
> | | |
> [Exim server 1] [Exim server 2] [Exim server 3]
>
>
> I would have preferred to do this at IP tables level - but apparently not
> really possible. It seems the next option would be HAProxy. Has anyone here
> used HAProxy or run a setup as above, or know if this is actually doable? Any
> suggestions much appreciated.

Will the mail storage be on these machines running exim ?
Don't forget about balancing dovecot, or whatever will make the mailboxes
available to your users, too.

Since you have different domains, my first thought would just be to
assign them different MXes with different IPs ...

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Sat, Apr 15, 2023 at 06:03:29PM +0100, Sebastian Arcus wrote:
> On 15/04/2023 16:46, Evgeniy Berdnikov via Exim-users wrote:
> > My question is: why do you want to use so complicated scheme, while it's
> > very simple task to set up a farm of Exim servers, each operating for
> > several mail domains, with iptables-based balancer in front of them?
>
> Would this be possible with different servers covering different email
> domains?

No, all servers should cover all domains pulished through balancer.

However, you can use 2 lines of backend servers: 1st is the farm
I described above, 2nd is a line with domain-specific servers.
Incoming mails should be forwarded from 1st line to 2nd.

> These servers belong to different organisations - hence why each
> one hosts different domains.

It has no impotance if you want to route mails through one frontend.
All organisations should agree to share this frontend.
--
Eugene Berdnikov

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 15/04/2023 18:44, Andrew C Aitchison wrote:
> On Sat, 15 Apr 2023, Sebastian Arcus via Exim-users wrote:
>
>> I have a number of Exim servers behind a NAT gateway (actually
>> connected with vpn's to a cloud vps - but I'm hoping this is not
>> relevant to this post). I would like the gateway to send incoming port
>> 25 traffic to the correct Exim server based on SNI in incoming TLS
>> packets - as different Exim instances serve different email domains.
>> The setup would look like this:
>>
>>                      [Internet]
>>                          |
>>                          |
>>                    (smtp port 25)
>>                          |
>>                          v
>>                          |
>>                   [Cloud server]
>>                          |
>>                          v
>>                          |
>>       ----------------------------------------
>>       |                  |                   |
>>       |                  |                   |
>> [Exim server 1]    [Exim server 2]    [Exim server 3]
>>
>>
>> I would have preferred to do this at IP tables level - but apparently
>> not really possible. It seems the next option would be HAProxy. Has
>> anyone here used HAProxy or run a setup as above, or know if this is
>> actually doable? Any suggestions much appreciated.
>
> Will the mail storage be on these machines running exim ?
> Don't forget about balancing dovecot, or whatever will make the mailboxes
> available to your users, too.

Each box behind the proxy/nat has Exim and Dovecot on it - serving their
own domain and users separate from other boxes.

>
> Since you have different domains, my first thought would just be to
> assign them different MXes with different IPs ...

This is the situation now. But managing a full set of internet
connections with fixed IP addresses and reverse dns records is turning
into a major drag. Every time the internet connection on one of the
boxes has to change provider, it becomes a whole project managing the
migration, with downtime while the provider assigns a PTR record to the
connection. On occasion it has taken 2 weeks. This is why I would like
to have all boxes use one single public IP address and one PTR record
through the VPS / cloud server for smtp purposes, with the VPS acting as
a SMTP proxy / gateway.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Sat, 15 Apr 2023, Sebastian Arcus wrote:

> On 15/04/2023 18:44, Andrew C Aitchison wrote:
>> On Sat, 15 Apr 2023, Sebastian Arcus via Exim-users wrote:
>>
>>> I have a number of Exim servers behind a NAT gateway (actually connected
>>> with vpn's to a cloud vps - but I'm hoping this is not relevant to this
>>> post). I would like the gateway to send incoming port 25 traffic to the
>>> correct Exim server based on SNI in incoming TLS packets - as different
>>> Exim instances serve different email domains. The setup would look like
>>> this:
>>>
>>>                      [Internet]
>>>                          |
>>>                          |
>>>                    (smtp port 25)
>>>                          |
>>>                          v
>>>                          |
>>>                   [Cloud server]
>>>                          |
>>>                          v
>>>                          |
>>>       ----------------------------------------
>>>       |                  |                   |
>>>       |                  |                   |
>>> [Exim server 1]    [Exim server 2]    [Exim server 3]
>>>
>>>
>>> I would have preferred to do this at IP tables level - but apparently not
>>> really possible. It seems the next option would be HAProxy. Has anyone
>>> here used HAProxy or run a setup as above, or know if this is actually
>>> doable? Any suggestions much appreciated.


>> Since you have different domains, my first thought would just be to
>> assign them different MXes with different IPs ...
>
> This is the situation now. But managing a full set of internet connections
> with fixed IP addresses and reverse dns records is turning into a major drag.
> Every time the internet connection on one of the boxes has to change
> provider, it becomes a whole project managing the migration, with downtime
> while the provider assigns a PTR record to the connection. On occasion it has
> taken 2 weeks. This is why I would like to have all boxes use one single
> public IP address and one PTR record through the VPS / cloud server for smtp
> purposes, with the VPS acting as a SMTP proxy / gateway.

Ah.

I've only done it with physical local machines, where
it was easy to move an ip address from one box to another.
I had an ip address for each box and one for each domain,
so I could just move the domain ip address to another machine
when necessary. No need to change the DNS at all.
Not necessarily something you can do with a cloud.

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 15/04/2023 18:01, Sebastian Arcus via Exim-users wrote:
> I think I would have to run Spamassassin on the "proxy" Exim, as otherwise the IP address of the proxy will be added to the headers during the delivery/relay process, and will probably break the SPF checks in Spamassassin on the final Exim server in the chain - I think?

That would depend on how SA gets it's info, but yes that'd be simplest.
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 15/04/2023 18:50, Evgeniy Berdnikov via Exim-users wrote:
> On Sat, Apr 15, 2023 at 06:03:29PM +0100, Sebastian Arcus wrote:
>> On 15/04/2023 16:46, Evgeniy Berdnikov via Exim-users wrote:
>>> My question is: why do you want to use so complicated scheme, while it's
>>> very simple task to set up a farm of Exim servers, each operating for
>>> several mail domains, with iptables-based balancer in front of them?
>>
>> Would this be possible with different servers covering different email
>> domains?
>
> No, all servers should cover all domains pulished through balancer.


These are all separate servers belonging to different organisations.
They each host their own mail domain and users. This can't be changed. I
am not looking to do load balancing. I am looking to share the public IP
address and PTR record these servers use for incoming and outgoing smtp
connections.

>
> However, you can use 2 lines of backend servers: 1st is the farm
> I described above, 2nd is a line with domain-specific servers.
> Incoming mails should be forwarded from 1st line to 2nd.


It sounds similar to what is suggested by other replies - to use Exim on
the gateway vps instead of HAProxy, and relay the email to back-end
servers. I think that should cover my needs - that sounds doable.

>
>> These servers belong to different organisations - hence why each
>> one hosts different domains.
>
> It has no impotance if you want to route mails through one frontend.
> All organisations should agree to share this frontend.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 15/04/2023 19:09, Andrew C Aitchison wrote:
> On Sat, 15 Apr 2023, Sebastian Arcus wrote:
>
>> On 15/04/2023 18:44, Andrew C Aitchison wrote:
>>> On Sat, 15 Apr 2023, Sebastian Arcus via Exim-users wrote:
>>>
>>>> I have a number of Exim servers behind a NAT gateway (actually
>>>> connected with vpn's to a cloud vps - but I'm hoping this is not
>>>> relevant to this post). I would like the gateway to send incoming
>>>> port 25 traffic to the correct Exim server based on SNI in incoming
>>>> TLS packets - as different Exim instances serve different email
>>>> domains. The setup would look like this:
>>>>
>>>>                      [Internet]
>>>>                          |
>>>>                          |
>>>>                    (smtp port 25)
>>>>                          |
>>>>                          v
>>>>                          |
>>>>                   [Cloud server]
>>>>                          |
>>>>                          v
>>>>                          |
>>>>       ----------------------------------------
>>>>       |                  |                   |
>>>>       |                  |                   |
>>>> [Exim server 1]    [Exim server 2]    [Exim server 3]
>>>>
>>>>
>>>> I would have preferred to do this at IP tables level - but
>>>> apparently not really possible. It seems the next option would be
>>>> HAProxy. Has anyone here used HAProxy or run a setup as above, or
>>>> know if this is actually doable? Any suggestions much appreciated.
>
>
>>> Since you have different domains, my first thought would just be to
>>> assign them different MXes with different IPs ...
>>
>> This is the situation now. But managing a full set of internet
>> connections with fixed IP addresses and reverse dns records is turning
>> into a major drag. Every time the internet connection on one of the
>> boxes has to change provider, it becomes a whole project managing the
>> migration, with downtime while the provider assigns a PTR record to
>> the connection. On occasion it has taken 2 weeks. This is why I would
>> like to have all boxes use one single public IP address and one PTR
>> record through the VPS / cloud server for smtp purposes, with the VPS
>> acting as a SMTP proxy / gateway.
>
> Ah.
>
> I've only done it with physical local machines, where
> it was easy to move an ip address from one box to another.
> I had an ip address for each box and one for each domain,
> so I could just move the domain ip address to another machine
> when necessary. No need to change the DNS at all.
> Not necessarily something you can do with a cloud.

Sorry - I tried to keep the original question as simple as possible,
hoping that would make it easier to answer.

The "back-end" machines are physical machines, on regular
ADSL/VDSL/cable/fibre connections at various locations. At the moment
they send directly to the internet, which requires a static IP and PTR
record. The PTR record needs to be requested from the provider of the
internet connection. This process has taken in the past anywhere between
3-14 days - depending on provider and luck finding a member of staff who
knows what a PTR record is.

It also restricts the choice of internet providers to those who do
provide PTR records. Also, if there is a fault with the internet
connection and it gets replaced with a temporary (4G/5G) connection, the
server effectively can't send and receive emails any more - for days or,
worse case scenario, weeks at a time.

To solve all of the above issues, I am looking into essentially
diverting all the outgoing and incoming smtp traffic of these servers
through a single gateway server, which will be a vps/cloud server. Then
the flow of emails on smtp will be able to continue uninterrupted, even
when changing internet providers at various locations where the back-end
servers are, or switching to an emergency/temporary internet connection.

I hope the above makes a bit more sense.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Sat, Apr 15, 2023 at 08:44:08PM +0100, Sebastian Arcus via Exim-users wrote:
> These are all separate servers belonging to different organisations. They
> each host their own mail domain and users. This can't be changed. I am not
> looking to do load balancing. I am looking to share the public IP address
> and PTR record these servers use for incoming and outgoing smtp connections.

This formulation is significantly different from the original one, which
was about SNI and all that. This task has no relation to SNI, TLS, etc.
With wrong questions you have minimal chances to get relevant answers.

BTW, using single public IP/gateway you create a single point of failure
for all domains/organizations.
--
Eugene Berdnikov

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 15/04/2023 13:53, Jeremy Harris via Exim-users wrote:
>
> Exim does talk the inbound-proxy protocol tha HAProxy apparently uses (or can use):
> https://exim.org/exim-html-current/doc/html/spec_html/ch-proxies.html#SECTproxyInbound

Thinking further, this (HAProxy with Proxy-protocol as a frontend for an MTA,
with the HAProxy routing based on SNI) has additional complications. Because
the ESMTP connection has to (for port 25) negotiate TLS using STARTTLS, you're
asking that HAProxy run that part of the ESMTP protocol, so that it can see the
SNI. It'd have to replay that ESMTP startup down the connection to the backend,
as far as the TLS Client Hello - or be a full ESMTP endpoint. I don't know if
it's that clever.
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 15/04/2023 21:20, Evgeniy Berdnikov via Exim-users wrote:
> On Sat, Apr 15, 2023 at 08:44:08PM +0100, Sebastian Arcus via Exim-users wrote:
>> These are all separate servers belonging to different organisations. They
>> each host their own mail domain and users. This can't be changed. I am not
>> looking to do load balancing. I am looking to share the public IP address
>> and PTR record these servers use for incoming and outgoing smtp connections.
>
> This formulation is significantly different from the original one, which
> was about SNI and all that. This task has no relation to SNI, TLS, etc.
> With wrong questions you have minimal chances to get relevant answers.

You are correct - thinking some more about it, all outside connections
would be connecting to the same FQDN. SNI would play no part in it.
Sorry for the confusion. It seems that using Exim as a front end
relaying to back-end servers seems to be the right solution.

>
> BTW, using single public IP/gateway you create a single point of failure
> for all domains/organizations.

That is also very true, and I have considered it. On balancing the
advantages and disadvantages of the setup, it will be a risk I will have
to accept. Or possibly end up with two of these cloud / front-end
servers setup as the 2 MX's for all domains.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

solution inline

On 2023-04-15 17:05, Sebastian Arcus via Exim-users wrote:
> On 15/04/2023 17:00, Fabio Martins wrote:
>> I believe you are trying to use the same IP address for the 3 exim
>> instances, otherwise the solution would be quite simple binding each
>> instance to the proper IP address. Right? Or do you have 3 different
>> public IP addresses?
>
> That's correct - there is only one IP address on the VPS/proxy - which
> needs to serve all the Exim servers behind
>

Ok, so solution will work.

>>
>> If you have only 1 public IP, does a solution forwarding to a
>> subdomain via system_aliases+dsearch+local_parts+cron job updating
>> user list, would satisfy?
>>
>> example:
>>
>> adam@company1.com -> adam@internal.company1.com
>> eve@company1.com -> eve@internal.company1.com
>> keyser@business2.com -> keyser@internal.business2.com
>> soze@designer3.com -> soze@internal.designer3.com
>> contact@designer3.com -> contact@internal.designer3.com
>
> I can't say that I am really following what you are trying to suggest -
> but I don't think having emails on subdomains would help with my
> problem
>
>

The subdomain trick is just a way to reach the right Exim box.

Cloud Box configuration:

box1 VPN IP: bind it to IP 172.20.10.1
box2 VPN IP: bind it to IP 172.20.10.2
box3 VPN IP: bind it to IP 172.20.10.3

VPN configuration for each client ( adjust IP addresses for your
configuration ):

Box1 will bind to port 25 on VPN IP 172.20.10.1
Box2 will bind to port 25 on VPN IP 172.20.10.2
Box3 will bind to port 25 on VPN IP 172.20.10.3

internal DNS configuration of cloud box ( unbound shall do the trick ):

internal.company1.com MX points to 172.20.10.1
internal.business2.com MX points tp 172.20.10.2
internal.designer3.com MX points to 172.20.10.3

--

Exim configuration of Cloud Box:

# mkdir /etc/exim/domainlistbusiness/
# echo 'adam: adam@internal.company1.com' >>
/etc/exim/domainlistbusiness/company1.com
# echo 'eve: eve@internal.company1.com' >>
/etc/exim/domainlistbusiness/company1.com
# echo 'keyser: keyser@internal.business2.com' >>
/etc/exim/domainlistbusiness/business2.com
# echo 'soze: soze@internal.designer3.com' >>
/etc/exim/domainlistbusiness/designer3.com
# echo 'contact: contact@internal.designer3.com' >>
/etc/exim/domainlistbusiness/designer3.com

# /etc/exim/exim4.conf ( or proper filename in your box ) (only relevant
lines):

domainlist local_domains =
company1.com:business2.com:designer3.com:internal.company1.com:internal.business2.com:internal.designer3.com

system_aliases:
driver = redirect
allow_fail
allow_defer
domains = dsearch,ret=full;//etc/exim/domainlistbusiness
local_parts = lsearch;$domain_data

data = ${lookup{$local_part}lsearch*@{${domain_data}}}
file_transport = address_file
pipe_transport = address_pipe

--

Exim configuration of VPN Exim Box1 from company1.com ( only relevant
lines ):

primary_hostname = company1.com
domainlist local_domains = company1.com:internal.company1.com

( other VPN boxes you can deduct from above )

--

This dirty / quick trick shall work ok, and its not a complicated setup.

--

Cheers.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Sat, 15 Apr 2023, Sebastian Arcus via Exim-users wrote:

>
> On 15/04/2023 21:20, Evgeniy Berdnikov via Exim-users wrote:
>> On Sat, Apr 15, 2023 at 08:44:08PM +0100, Sebastian Arcus via Exim-users
>> wrote:
>>> These are all separate servers belonging to different organisations. They
>>> each host their own mail domain and users. This can't be changed. I am not
>>> looking to do load balancing. I am looking to share the public IP address
>>> and PTR record these servers use for incoming and outgoing smtp
>>> connections.
>>
>> This formulation is significantly different from the original one, which
>> was about SNI and all that. This task has no relation to SNI, TLS, etc.
>> With wrong questions you have minimal chances to get relevant answers.
>
> You are correct - thinking some more about it, all outside connections would
> be connecting to the same FQDN. SNI would play no part in it. Sorry for the
> confusion. It seems that using Exim as a front end relaying to back-end
> servers seems to be the right solution.

I see this front-end machine as a backup MX server. That way the real
machines will get the mail most of the time, but if/when the real machine
has a new ip address that doesn't match the MX, the front-end machine will
receive the mail and pass it on to the corrected IP.

>> BTW, using single public IP/gateway you create a single point of failure
>> for all domains/organizations.
>
> That is also very true, and I have considered it. On balancing the advantages
> and disadvantages of the setup, it will be a risk I will have to accept. Or
> possibly end up with two of these cloud / front-end servers setup as the 2
> MX's for all domains.

If the real server and the front-end machine are both in the MX records,
provided that you still control the IP addresses, losing either machine
wont stop the mail from getting through.

I don't know what sort of latency there will be between these machines,
but you might be able to use cutthrough delivery from the front-end to the
real server, which might allow you to reject rather than bounce some of
the time; it might even help with your SPF dilemma ?


--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 15/04/2023 23:19, Andrew C Aitchison wrote:
> On Sat, 15 Apr 2023, Sebastian Arcus via Exim-users wrote:
>
>>
>> On 15/04/2023 21:20, Evgeniy Berdnikov via Exim-users wrote:
>>> On Sat, Apr 15, 2023 at 08:44:08PM +0100, Sebastian Arcus via
>>> Exim-users wrote:
>>>> These are all separate servers belonging to different organisations.
>>>> They
>>>> each host their own mail domain and users. This can't be changed. I
>>>> am not
>>>> looking to do load balancing. I am looking to share the public IP
>>>> address
>>>> and PTR record these servers use for incoming and outgoing smtp
>>>> connections.
>>>
>>>   This formulation is significantly different from the original one,
>>> which
>>>   was about SNI and all that. This task has no relation to SNI, TLS,
>>> etc.
>>>   With wrong questions you have minimal chances to get relevant answers.
>>
>> You are correct - thinking some more about it, all outside connections
>> would be connecting to the same FQDN. SNI would play no part in it.
>> Sorry for the confusion. It seems that using Exim as a front end
>> relaying to back-end servers seems to be the right solution.
>
> I see this front-end machine as a backup MX server. That way the real
> machines will get the mail most of the time, but if/when the real
> machine has a new ip address that doesn't match the MX, the front-end
> machine will
> receive the mail and pass it on to the corrected IP.

That is not such a bad idea actually. One thing I'm not sure about is
the SPF checks in Spamassassin. For email coming through the front-end
machine, there should be no Spamassassin checks done on the back-end
machine, as they would fail the SPF checks. However, when email comes
directly to the back-end machines, Spamassasin should be run on the
email. Maybe I could have some conditions in the ACL to detect how the
email arrived and skip Spamassassin checks on email which came through
the front-end machine.

>
>>>   BTW, using single public IP/gateway you create a single point of
>>> failure
>>>   for all domains/organizations.
>>
>> That is also very true, and I have considered it. On balancing the
>> advantages and disadvantages of the setup, it will be a risk I will
>> have to accept. Or possibly end up with two of these cloud / front-end
>> servers setup as the 2 MX's for all domains.
>
> If the real server and the front-end machine are both in the MX records,
> provided that you still control the IP addresses, losing either machine
> wont stop the mail from getting through.

That could work as well. I suppose Exim could queue the email if it
can't contact the back-end server, until it comes back online. Another
good idea - thank you.

>
> I don't know what sort of latency there will be between these machines,
> but you might be able to use cutthrough delivery from the front-end to the
> real server, which might allow you to reject rather than bounce some of
> the time; it might even help with your SPF dilemma ?

That was my intention - so that the back-end machines can verify if the
recipient exists. Are you saying that when using cutthrough delivery,
this doesn't add an extra header to the email message - so this way it
wouldn't mess up the SPF checks on the back-end machine? (I was assuming
that the front-end machine would add another header to the incoming
email, which would make it appear to be one of the sending servers -
which I then assumed would fail the SPF checks on the back-end machines)

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Sat, 15 Apr 2023, Sebastian Arcus via Exim-users wrote:

>> I don't know what sort of latency there will be between these machines,
>> but you might be able to use cutthrough delivery from the front-end to the
>> real server, which might allow you to reject rather than bounce some of the
>> time; it might even help with your SPF dilemma ?
>
> That was my intention - so that the back-end machines can verify if the
> recipient exists. Are you saying that when using cutthrough delivery, this
> doesn't add an extra header to the email message - so this way it wouldn't
> mess up the SPF checks on the back-end machine? (I was assuming that the
> front-end machine would add another header to the incoming email, which would
> make it appear to be one of the sending servers - which I then assumed would
> fail the SPF checks on the back-end machines)

I have never actually used cut-through and I don't know.

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 15.04.23 21:54, Sebastian Arcus via Exim-users wrote:

> The "back-end" machines are physical machines, on regular
> ADSL/VDSL/cable/fibre connections at various locations.

> At the moment
> they send directly to the internet, which requires a static IP and PTR
> record.

> To solve all of the above issues, I am looking into essentially
> diverting all the outgoing and incoming smtp traffic of these servers
> through a single gateway server, which will be a vps/cloud server.

Well, that's off-topic on the Exim-list, but maybe a VPN solution would
fit better. Put three additional static IPv4 addresses and IPv6 /64 on
the VPS, build a Wireguard VPN between the VPS and the Exim servers and
use the VPS as a "proxy" on IP level.

Or move the three Exim servers - as virtual machines - into the
datacenter where the VPS runs. Running servers on consumer or even cheap
enterprise access services will not ensure high availability.


Regards,

Paul

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 15/04/2023 23:31, Sebastian Arcus via Exim-users wrote:
>> you might be able to use cutthrough delivery from the front-end to the
>> real server, which might allow you to reject rather than bounce some of the time; it might even help with your SPF dilemma ?
>
> That was my intention - so that the back-end machines can verify if the recipient exists. Are you saying that when using cutthrough delivery, this doesn't add an extra header to the email message - so this way it wouldn't mess up the SPF checks on the back-end machine

No. A Received: header is always added, cutthrough or store-and-forward.

> (I was assuming that the front-end machine would add another header to the incoming email, which would make it appear to be one of the sending servers - which I then assumed would fail the SPF checks on the back-end machines)

(The original) SA presumably relies on Received: headers to get the sending IP; there's
no setting in the API being used to call it.

The RSPAMD variant call does, however - so if there were enough call for it
a feature could be added to Exim to set that from the config; that in turn
could use on the backend Exim info added to the message by private agreement with the
frontend (eg. an A-R header).

OR:
you could use the SA feadture "ignore_received_spf_header", do the SPF checks on the
frontend, and add that header to transfer the info

you could use the rspamd feature https://www.rspamd.com/doc/modules/external_relay.html

OR:
you could just run SA on the frontend

--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Sun, 16 Apr 2023, Jeremy Harris via Exim-users wrote:

> On 15/04/2023 23:31, Sebastian Arcus via Exim-users wrote:
>>> you might be able to use cutthrough delivery from the front-end to the
>>> real server, which might allow you to reject rather than bounce some of
>>> the time; it might even help with your SPF dilemma ?
>>
>> That was my intention - so that the back-end machines can verify if the
>> recipient exists. Are you saying that when using cutthrough delivery, this
>> doesn't add an extra header to the email message - so this way it wouldn't
>> mess up the SPF checks on the back-end machine
>
> No. A Received: header is always added, cutthrough or store-and-forward.
>
>> (I was assuming that the front-end machine would add another header to the
>> incoming email, which would make it appear to be one of the sending servers
>> - which I then assumed would fail the SPF checks on the back-end machines)
>
> (The original) SA presumably relies on Received: headers to get the sending
> IP; there's
> no setting in the API being used to call it.
>
> The RSPAMD variant call does, however - so if there were enough call for it
> a feature could be added to Exim to set that from the config; that in turn
> could use on the backend Exim info added to the message by private agreement
> with the
> frontend (eg. an A-R header).
>
> OR:
> you could use the SA feadture "ignore_received_spf_header", do the SPF checks
> on the
> frontend, and add that header to transfer the info
>
> you could use the rspamd feature
> https://www.rspamd.com/doc/modules/external_relay.html

OR:
I think ARC (RFC8617) is supposed to help here.
If your backend trusts the frontend machine (an explicit choice you make),
SPF/DKIM/DMARC passed on the frontend
and the ARC headers in mail received from the frontend are correctly signed,
then the backend will accept the message "because ARC".

> OR:
> you could just run SA on the frontend

Probably the simplest option.

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2023-04-15, Sebastian Arcus via Exim-users <exim-users@exim.org> wrote:
> I have a number of Exim servers behind a NAT gateway (actually connected
> with vpn's to a cloud vps - but I'm hoping this is not relevant to this
> post). I would like the gateway to send incoming port 25 traffic to the
> correct Exim server based on SNI in incoming TLS packets - as different
> Exim instances serve different email domains. The setup would look like
> this:
>
> [Internet]
> |
> |
> (smtp port 25)
> |
> v
> |
> [Cloud server]
> |
> v
> |
> ----------------------------------------
> | | |
> | | |
> [Exim server 1] [Exim server 2] [Exim server 3]
>
>
> I would have preferred to do this at IP tables level - but apparently
> not really possible. It seems the next option would be HAProxy. Has
> anyone here used HAProxy or run a setup as above, or know if this is
> actually doable? Any suggestions much appreciated.

The picture above is possible but does not match the description above that.

SNI won't tell you anything until some time the after the client says
STARTTLS, so HAPROXY won't be able to route based on SNI, unless you
can teach it SMTP.

--
Jasen.
???????? ????? ???????

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/