[Feature] Add HAProxy listeners and an example override file

2020-07-04 19:30:40 +02:00 · 2020-07-04 19:30:40 +02:00 · 0cfdd763f8
parent e40a0eae01
commit 0cfdd763f8
3 changed files with 55 additions and 0 deletions
--- a/data/conf/dovecot/dovecot.conf
+++ b/data/conf/dovecot/dovecot.conf
@ -312,10 +312,28 @@ service imap-login {
  process_limit = 10000
  vsz_limit = 1G
  user = dovenull
+  inet_listener imap_haproxy {
+    port = 10143
+    haproxy = yes
+  }
+  inet_listener imaps_haproxy {
+    port = 10993
+    ssl = yes
+    haproxy = yes
+  }
 }
 service pop3-login {
  service_count = 1
  vsz_limit = 1G
+  inet_listener pop3_haproxy {
+    port = 10110
+    haproxy = yes
+  }
+  inet_listener pop3s_haproxy {
+    port = 10995
+    ssl = yes
+    haproxy = yes
+  }
 }
 service imap {
  executable = imap imap-postlogin
--- a/data/conf/postfix/master.cf
+++ b/data/conf/postfix/master.cf
@ -1,5 +1,8 @@
 # inter-mx with postscreen on 25/tcp
 smtp       inet  n       -       n       -       1       postscreen
+10025      inet  n       -       n       -       1       postscreen
+  -o postscreen_upstream_proxy_protocol=haproxy
+  -o syslog_name=haproxy
 smtpd      pass  -       -       n       -       -       smtpd
  -o smtpd_helo_restrictions=permit_mynetworks,reject_non_fqdn_helo_hostname
  -o smtpd_sasl_auth_enable=no
@ -13,6 +16,13 @@ smtps    inet  n       -       n       -       -       smtpd
  -o smtpd_tls_mandatory_protocols=$smtps_smtpd_tls_mandatory_protocols
  -o tls_preempt_cipherlist=yes
  -o syslog_name=postfix/smtps
+10465    inet  n       -       n       -       -       smtpd
+  -o smtpd_upstream_proxy_protocol=haproxy
+  -o smtpd_tls_wrappermode=yes
+  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
+  -o smtpd_tls_mandatory_protocols=$smtps_smtpd_tls_mandatory_protocols
+  -o tls_preempt_cipherlist=yes
+  -o syslog_name=postfix/smtps-haproxy

 # smtpd with starttls on 587/tcp
 # TLS protocol can be modified by setting submission_smtpd_tls_mandatory_protocols in extra.cf
@ -23,6 +33,14 @@ submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_mandatory_protocols=$submission_smtpd_tls_mandatory_protocols
  -o tls_preempt_cipherlist=yes
  -o syslog_name=postfix/submission
+10587      inet n       -       n       -       -       smtpd
+  -o smtpd_upstream_proxy_protocol=haproxy
+  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
+  -o smtpd_enforce_tls=yes
+  -o smtpd_tls_security_level=encrypt
+  -o smtpd_tls_mandatory_protocols=$submission_smtpd_tls_mandatory_protocols
+  -o tls_preempt_cipherlist=yes
+  -o syslog_name=postfix/submission-haproxy

 # used by SOGo
 # smtpd_sender_restrictions should match main.cf, but with check_sasl_access prepended for login-as-mailbox-user function
--- a/helper-scripts/docker-compose.override.yml.d/HAPROXY/docker-compose.override.yml
+++ b/helper-scripts/docker-compose.override.yml.d/HAPROXY/docker-compose.override.yml
@ -0,0 +1,19 @@
+##
+## Set haproxy_trusted_networks in Dovecots extra.conf!
+#ä
+
+version: '2.1'
+services:
+
+    dovecot-mailcow:
+      ports:
+        - "${IMAP_PORT_HAPROXY:-127.0.0.1:10143}:10143"
+        - "${IMAPS_PORT_HAPROXY:-127.0.0.1:10993}:10993"
+        - "${POP_PORT_HAPROXY:-127.0.0.1:10110}:10110"
+        - "${POPS_PORT_HAPROXY:-127.0.0.1:10995}:10995"
+
+    postfix-mailcow:
+      ports:
+        - "${SMTP_PORT_HAPROXY:-127.0.0.1:10025}:10025"
+        - "${SMTPS_PORT_HAPROXY:-127.0.0.1:10465}:10465"
+        - "${SUBMISSION_PORT_HAPROXY:-127.0.0.1:10587}:10587"