Fix authentication submission

Don't talk haproxy to postfix; it's more headaches than it is currently worth.
2024-12-12 10:45:38 +02:00 · 2023-01-03 15:57:57 +01:00 · 2023-01-03 15:57:57 +01:00 · 4d80c95c41
commit 4d80c95c41
parent bba6c5bb88
3 changed files with 13 additions and 5 deletions
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@ -292,9 +292,6 @@ mail {
    pop3_capabilities TOP UIDL RESP-CODES PIPELINING AUTH-RESP-CODE USER;
    imap_capabilities IMAP4 IMAP4rev1 UIDPLUS SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+;

-    # ensure we talk HAPROXY protocol to the backends
-    proxy_protocol on;
-
    # Default SMTP server for the webmail (no encryption, but authentication)
    server {
      listen 10025;
@ -309,6 +306,8 @@ mail {
      protocol imap;
      smtp_auth plain;
      auth_http_header Auth-Port 10143;
+      # ensure we talk HAPROXY protocol to the backends
+      proxy_protocol on;
    }

    # SMTP is always enabled, to avoid losing emails when TLS is failing
@ -343,6 +342,8 @@ mail {
      protocol imap;
      imap_auth plain;
      auth_http_header Auth-Port 143;
+      # ensure we talk HAPROXY protocol to the backends
+      proxy_protocol on;
    }

    server {
@ -354,6 +355,8 @@ mail {
      protocol pop3;
      pop3_auth plain;
      auth_http_header Auth-Port 110;
+      # ensure we talk HAPROXY protocol to the backends
+      proxy_protocol on;
    }

    server {
@ -382,6 +385,8 @@ mail {
      protocol imap;
      imap_auth plain;
      auth_http_header Auth-Port 993;
+      # ensure we talk HAPROXY protocol to the backends
+      proxy_protocol on;
    }

    server {
@ -390,6 +395,8 @@ mail {
      protocol pop3;
      pop3_auth plain;
      auth_http_header Auth-Port 995;
+      # ensure we talk HAPROXY protocol to the backends
+      proxy_protocol on;
    }
    {% endif %}
    {% endif %}
--- a/core/postfix/conf/master.cf
+++ b/core/postfix/conf/master.cf
@ -2,10 +2,10 @@
 #               (yes)   (yes)   (yes)   (never) (100)

 # Exposed SMTP service
-smtp      inet  n       -       n       -       1       postscreen
+smtp      inet  n       -       n       -       1       smtpd

 # Internal SMTP service
-10025     inet  n       -       n       -       1       postscreen
+10025     inet  n       -       n       -       1       smtpd
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_discard_ehlo_keywords=pipelining
  -o smtpd_client_restrictions=$check_ratelimit,reject_unlisted_sender,reject_authenticated_sender_login_mismatch,permit
--- a/towncrier/newsfragments/2608.fix
+++ b/towncrier/newsfragments/2608.fix
@ -0,0 +1 @@
+Don't talk haproxy to postfix yet.