0

Pfsense (HAproxy as reverse proxy)—->Unraid

I run postfix on Debian Bullseye VM (under Unraid) on my home server. It is up and running. I can send the mail out but can’t receive any incoming mail. I’m wondering whether I’ve set a wrong host name or not. At home local network, I can access my Debian server with either debiantest or debiantest.local.

When installing Debian, I input hostname “debiantest”, domain “mydomain.com”.

My mx record at cloudflare for “mydomain.com” is mail.mydomain.com.

In postfix main.cf, I tried specifying hostname as debiantest, debiantest.local, debiantest.mydomain.com. Same results, ie. can receive any mails, but can send mails out.

Welcome any suggestion.

Improve this question

1 Answer 1

Reset to default
0

It doesn't matter is it behind haproxy or not. The postfix configuration will be exactly the same.

The exact choice of mail exchanger hostname is relatively free, what's important that it should be the publicly resolvable hostname (e.g. in the domain you registered, e.g. mymailserver.example.org, certainly not end with "local" or anything else like this). This hostname should in general should be specified in the MX record for the domain, it should resolve (for external servers) into external IP (which eventually leads to haproxy). The reverse record (PTR) for that IP should lead back to this hostname.

When Postfix exits into internet it also should use this same IP, so other servers will see things coherently: connection made from IP which points to the name, which leads back to this IP and which the server also specifies in its EHLO. This will greatly increase your chances to not to be rejected as a misconfigured server or as a spammer.

This hostname should be configured as myhostname in the Postfix's main.cf

I don't see much benefit in using haproxy in front of public mail exchangers. Postfix is very secure and robust to be on the bastion frontline itself, it doesn't need an external protection on the level haproxy can offer. It's much easier to make a service highly available for external servers by simply having two (or more) different mail exchangers and MX records for the domain (and that will certainly will be more robust than any setup you can create with haproxy, simply because it requires less moving parts).

It could however be reasonable to load balance the submission service for your own clients. Anyway if you reached the scale when you really need this, you will have a bunch of mail servers, split them by function (some machines do reception from external, some run submission service, some run IMAP service, some web service and so on) and in this case to suggest a concrete configuration we need to know which kind of a server you are going to set up.

Improve this answer
5
  • Thanks for your detailed explanation. I have to host postfix behind HAproxy because my server is behind PfSense+HAProxy. I've set hostname as mail.mydomain.com, but incoming mail still not came through, ie., no movement on the postfix side. Just realized I did not add a rule on my pfSense firewall to allow port 25 to come through. Now my postfix can receive all incoming mails. Commented Jan 14, 2023 at 2:06
  • I actually self-hosted Simplelogin alias mail forwarding service on my server. It utilizes postfix as a mail server. Now even the mail.log file shows postfix has successfully forwarded to my yahoo or gmail accounts, both mail providers seem to block those mails. All those forwarded mails showed successfully accepted for delivery to both yahoo and gmail servers, but they did not show up in my inbox or spam box Commented Jan 14, 2023 at 2:07
  • I think your requirement makes no sense. If pfSense is not able to pass port 25 traffic directly to Postfix without involving haproxy, it is nothing more than a sophisticated toy that shouldn't be used in production environment. In your case this makes you to master the mail exchanger skill. Don't try to embrace all the concepts simultaneously. // Please, ask independent question about sending mail. I suppose this could have something to do with misconfigured DNS: PTR record, SPF, DKIM, DMARC. Commented Jan 14, 2023 at 8:54
  • I didn't say my pfSense is not able to pass port 25 traffic directly to Postfix. I just told I have HAproxy there too just in case it has anything I'm not aware of that may need to do for my setup. HAproxy is acting as my reverse proxy for other web applications I host on my only one home server (unraid). The SPF, DKIM, DMARC entries on my DNS (on Cloudflare) are correctly setup according to the Simplelogin instruction. v=DKIM1; k=rsa; p=...PUBLIC_KEY... v=spf1 mx ~all v=DMARC1; p=quarantine; adkim=r; aspf=r Commented Jan 15, 2023 at 3:15
  • HTTP reverse proxy is a natural job for HAproxy. It does it extremely good and it's worth it. On the other hand, load balancing on TCP (which is the only possible way to put it ahead of Postfix) is not a primary mode if its intended operation, and, as I explained, it easily could make things worse. The fact the solution excels in one kind of a job doesn't automatically mean it will excel anywhere else. Let it work as a reverse proxy, but left the MX to the software which knows how to to it and put it away from HAproxy. Commented Jan 15, 2023 at 15:20

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.