Resolved Plesk behind HAProxy

[razertechDE]

Hello all,

we currently have the situation that we need to put our Plesk server behind a HAProxy.

Getting the "real IP" for the webserver, was easy. But I am currently stuck with the Mail Service.
IMAP is already working, only the mail sending fails.

I have evaluated the logs and get the following message (/var/log/maillog):

Jun 17 18:08:10 PLESK postfix/10465/smtpd[79552]: connect from pffffffd1.fip2.ipconnect.de[XX.XXX.XXX.XXX]
Jun 17 18:08:10 PLESK plesk_saslauthd[79553]: listen=6, status=5, dbpath='/plesk/passwd.db', keypath='/plesk/passwd_db_key', chroot=1, unprivileged=1
Jun 17 18:08:10 PLESK plesk_saslauthd[79553]: privileges set to (104:109) (effective 104:109)
Jun 17 18:08:20 PLESK postfix/10465/smtpd[79552]: fatal: no SASL authentication mechanisms
Jun 17 18:08:20 PLESK plesk_saslauthd[79553]: client unexpected error: client unexpectedly closed connection
Jun 17 18:08:21 PLESK postfix/master[79540]: warning: process /usr/lib/postfix/sbin/smtpd pid 79552 exit status 1
Jun 17 18:08:21 PLESK postfix/master[79540]: warning: /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling
Jun 17 18:08:51 PLESK plesk_saslauthd[79553]: select timeout, exiting

The corresponding services look as below (/etc/postfix/master.cf):

192.168.X.XX:2525      inet  n       -       -       -       1       postscreen
  -o postscreen_upstream_proxy_protocol=haproxy
  -o postscreen_cache_map=btree:$data_directory/postscreen_2525_cache
  -o syslog_name=postfix/2525

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
smtpd     pass  -       -       y       -       -       smtpd
dnsblog   unix  -       -       n       -       0       dnsblog
tlsproxy  unix  -       -       n       -       0       tlsproxy

192.168.X.XX:10587 inet n - n - - smtpd status=5 listen=6 dbpath=/plesk/passwd.db
-o syslog_name=postfix/10587
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=no
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=/var/spool/postfix/private/plesk_saslauthd
-o smtpd_upstream_proxy_protocol=haproxy

192.168.X.XX:10465 inet n - n - - smtpd
-o syslog_name=postfix/10465
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=/var/spool/postfix/private/plesk_saslauthd
-o smtpd_upstream_proxy_protocol=haproxy

And regarding the HAProxy Server, the configuration looks like this:

listen imap
    bind *:143
    mode tcp
    stick store-request src
    stick-table type ip size 200k expire 30m
    server plesk 192.168.X.XX:10143 send-proxy-v2

listen imaps
    bind *:993
    mode tcp
    stick store-request src
    stick-table type ip size 200k expire 30m
    server plesk 192.168.X.XX:10993 send-proxy-v2

listen smtp
    bind *:25
    mode tcp
    timeout client 1m
    timeout server 1m
    timeout connect 7s
    log global
    option tcplog
    server plesk 192.168.X.XX:2525 send-proxy

listen submission
    bind *:587
    mode tcp
    timeout client 1m
    timeout server 1m
    timeout connect 7s
    log global
    option tcplog
    server plesk 192.168.X.XX:10587 send-proxy

listen smtps
    bind *:465
    mode tcp
    timeout client 1m
    timeout server 1m
    timeout connect 7s
    log global
    option tcplog
    server plesk 192.168.X.XX:10465 send-proxy

It seems that SASL authentication is not working.
The authentication seems to be very customized to Plesk.

Has someone an idea?

Many thanks in advance &
kind regards

 

[razertechDE]

Okay so I figured something out.

I just removed my custom entries:

192.168.X.XX:2525      inet  n   
   -       -       -       1       postscreen
  -o postscreen_upstream_proxy_protocol=haproxy
  -o postscreen_cache_map=btree:$data_directory/postscreen_2525_cache
  -o syslog_name=postfix/2525

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
smtpd     pass  -       -       y       -       -       smtpd
dnsblog   unix  -       -       n       -       0       dnsblog
tlsproxy  unix  -       -       n       -       0       tlsproxy

192.168.X.XX:10587 inet n - n - - smtpd status=5 listen=6 dbpath=/plesk/passwd.db
-o syslog_name=postfix/10587
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=no
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=/var/spool/postfix/private/plesk_saslauthd
-o smtpd_upstream_proxy_protocol=haproxy

192.168.X.XX:10465 inet n - n - - smtpd
-o syslog_name=postfix/10465
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=/var/spool/postfix/private/plesk_saslauthd
-o smtpd_upstream_proxy_protocol=haproxy

And just left it as the default of plesk.
The only thing I've added to each service was:
-o smtpd_upstream_proxy_protocol=haproxy

Since then, I am able to send the mails.
The only problem left is, that the mails do not reach the other MTA.

I can see this in the maillog:

Jun 19 11:02:17 PLESK postfix/smtp[19641]: connect to XXXXXX.de[XXX.XX.XX.XXX]:25: Connection timed out
Jun 19 11:02:17 PLESK postfix/smtp[19640]: 330FA120021: to=<[email protected]>, relay=none, delay=75913, delays=75883/0.01/30/0, dsn=4.4.1, status=deferred (connect to XXXXXXXX.de[XXX.XX.XX.XXX]:25: Connection timed out)

So I think the problem is now with the communication between the MTA's.

Has someone an idea?

Many thanks

 

[Kaspar]

Can you reach the other MTA when using telnet?

 

[razertechDE]

Can you reach the other MTA when using telnet?

Thanks for your reply!

Yes, I can reach the other machine via telnet.
On all Ports 25, 465 and 587

 

[razertechDE]

When I try to send an E-Mail over the Port 587, it doesn't work at all.
I think there is somehow the problem.

Maybe something with TLS...

UPDATE:
Connecting via TLS with bash is working now.

I had to add:
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
To each service in HAProxy.

But the timeout regarding the other MTA is still there.

 

[razertechDE]

UPDATE:
Got it!

To never struggle again, I've written myself a documentation.

Maybe it is also useful for someone:

HAProxy configuration:
listen imap
bind *:143
mode tcp
option tcplog
timeout client 1m
timeout server 1m
timeout connect 7s
stick store-request src
stick-table type ip size 200k expire 30m
server plesk <PLESK SERVER IP>:10143 send-proxy-v2

listen imaps
bind *:993
mode tcp
option tcplog
timeout client 1m
timeout server 1m
timeout connect 7s
stick store-request src
stick-table type ip size 200k expire 30m
server plesk <PLESK SERVER IP>:10993 send-proxy-v2

listen smtp
bind *:25
mode tcp
option tcplog
timeout client 1m
timeout server 1m
timeout connect 7s
tcp-request inspect-delay 10ms
tcp-request content accept if { req_ssl_hello_type 1 }
server plesk <PLESK SERVER IP>:2525 send-proxy

listen submission
bind *:587
mode tcp
timeout client 1m
timeout server 1m
timeout connect 7s
tcp-request inspect-delay 10ms
tcp-request content accept if { req_ssl_hello_type 1 }
log global
server plesk <PLESK SERVER IP>:10587 send-proxy

listen smtps
bind *:465
mode tcp
timeout client 1m
timeout server 1m
timeout connect 7s
log global
tcp-request inspect-delay 10ms
tcp-request content accept if { req_ssl_hello_type 1 }
server plesk <PLESK SERVER IP>:10465 send-proxy


Now on Plesk Host:
Enable Port 587 on Plesk Management interface:


Add new file to /etc/dovecot/conf.d/01-haproxy.conf and add:
service imap-login {
inet_listener imap_haproxy {
port = 10143
haproxy = yes
}
inet_listener imaps_haproxy {
port = 10993
ssl = yes
haproxy = yes
}

Now add the following entries to /etc/dovecot/dovecot.conf
haproxy_trusted_networks = <PLESK SERVER NETWORK (VM NETWORK)>
haproxy_timeout = 3s

Now edit entries of /etc/postfix/main.cf to (this can also be done directly via plesk):
mynetworks = <PLESK SERVER DEFAULT GATEWAY NETWORK>, <PLESK SERVER NETWORK (VM NETWORK)>
inet_interfaces = all

Now add the following entries directly at the top of /etc/postfix/master.cf

<PLESK SERVER IP>:2525 inet n - - - 1 postscreen
-o postscreen_upstream_proxy_protocol=haproxy
-o postscreen_cache_map=btree:$data_directory/postscreen_2525_cache
-o syslog_name=postfix/2525


Uncomment the following entries in /etc/postfix/master.cf
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy

Now add the following entries at the end of /etc/postfix/master.cf:

<PLESK SERVER IP>:10465 inet n - y - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_upstream_proxy_protocol=haproxy -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

<PLESK SERVER IP>:10587 inet n - y - - smtpd -o smtpd_upstream_proxy_protocol=haproxy -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

Now edit plesk generated line within /etc/postfix/master.cf (!! MOST IMPORTANT PART FOR US!!):

From:
plesk-<PLESK SERVER IP>- unix - - n - - smtp -o smtp_bind_address=<PLESK SERVER IP> -o smtp_bind_address6= -o smtp_address_preference=ipv4
To:
plesk-<PLESK SERVER IP>- unix - - n - - smtp -o smtp_bind_address6= -o smtp_address_preference=ipv4

Why is this the most important part? Because when leaving it as default, then the service is being forced to communicate via <PLESK SERVER IP>, but in our setup we need to communicate via our default gateway, not the "vm network". Therefore we need to remove the binding.
So this should only care you, when you also run a two interface setup.

At the end, restart dovecot and postfix. DONE!