Solved

How to properly send e-mails behind a HAProxy LAN server pool?

Posted on 2015-01-11
13
142 Views
Last Modified: 2015-12-10
Hey everyone,
I noticed when I send out emails through PHP or through the server's console the e-mails are sent out from the firewall's public IP.

Current setup is:
1 juniper firewall
2 haproxy servers (load balancers, active/backup)
4 virtual servers (each site)

The firewall's public side is: 70.x.x.10, and the LAN IP is 10.0.1.1 and also 10.0.50.1
Both haproxy servers have a public NIC and private NIC
All the virtual servers (running CentOS 6.5 Linux) have 1 NIC configured with a LAN IP address (10.0.1.x and 10.0.50.x), gateway matches the subnet.
The hostname for each server is a FQDN pointing to the site's Public IP.

All traffic is directed to the HAProxy IP (site specific), where it has a pool of 4 LAN IP (servers) per site.
The actual e-mail accounts are not hosted on these virtual servers, they are either on gmail servers or another provider.

Problem:
When sending out an e-mail from any virtual server the "client-ip" and "Received: from" on the e-mail's header is the firewall's public ip: 70.x.x.10. Which makes sense because it only comes in through HAProxy, but it doesn't go out through it.
sendmail is install and running with default configuration, no changes so far.

I would like suggestions on what I can do to have the e-mail headers to list the actual website's IP address and not the firewall's public ip for every site. I'm researching on sendmail options, but still nothing.

Hopefully I made it clear. Let me know your thoughts. Thank you very much in advance!
0
Comment
Question by:rr100
  • 7
  • 5
13 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 40544494
You need to add to your php code an addition of an X-header to revord the information you Want I.e. Hashed website/username (this way you can identify, but to anyone else it will be meaningless. Do not play with Received: as it will be clear that they are inconsistent.
0
 
LVL 2

Author Comment

by:rr100
ID: 40544505
arnold, thanks, but I'm not sure that's the way I'm looking at this. At the moment the server is on a LAN, so all traffic is going out through the firewall's public IP, I would like to somehow configure sendmail or postfix to send every email from a different IP (website's public ip). Hard coding headers on PHP can't be a solution because the server's command line wouldn't be affected by it, now if the MTA is configured to route through different IP I think that would work, but I would need suggestions on how to do that or if there's a better way of making this happen. But thanks for now!
0
 
LVL 76

Expert Comment

by:arnold
ID: 40544520
You would need to configure masquerade, but that will complicate your php.
A website is an a mail source, such that it is technically meaningless.

Does the sendmail/postfix system reside on a system that has all the IPs?
0
 
LVL 2

Author Comment

by:rr100
ID: 40544538
The sendmail/postfix is currently residing on the VM with a LAN IP address of 10.0.1.123,  there are 4 VMs with the same setup (sendmail/postfix and different LAN IP). The HAProxy Load Balancer is the system that has all the IPs.
I was thinking more of a system wide configuration and not just for PHP.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40544580
The origin of the message is only relavent when using domainkeys or spf such that your WAN IPs would need to be authorized by the DNSbrecord in spf and for domain keys, you would need to also have the public key to decrypt data in the headers for verification.

no one is expecting to receive an email originating from a website.

Your mailservers, are the local postoffice where letters, packages are dropped off.

the only way to achieve what you want is to have each site on their own VM with a local mail server that have smarthost routing out to your central mailserver.
The VM name will need to match the name you want reflected in the Received lines.
0
 
LVL 2

Author Comment

by:rr100
ID: 40544620
The SPF is configured with the proper IPs. And I do understand that no one is expecting an email from a website.
So your suggestion would be configuring sendmail/postfix relay option? if I understood it correctly.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 76

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 40544711
Actually, my suggestion is to leave it alone, but to easily identify the source would be to add an X header.

I do not believe I understand what/why you are looking at this.

Not sure why you are using the haproxies in a configuration bypassing your firewall.

How many public IPs do you have and what system has them firewall or haproxy?

On a junioer, you can define outgoing mapping I.e. The reverse side of port/ip forwarding.

I.e. If source of packet is 10.0.0.3 the outgoing packet on the wan side will be 70.x.y.z for .4 it will be 70.x.z.y
0
 
LVL 2

Author Comment

by:rr100
ID: 40545259
arnold, the haproxy servers are just the load balancers that I'm using to balance traffic between 4 different web servers on a LAN. The juniper firewall doesn't come first because it's mainly acting as the LAN router and as the VPN device. I guess you can forget the HAProxies as I mentioned them to describe the setup I'm using.

My issue is that all of these 4 balanced VMs are sending emails from the LAN (because they only have a Private IP), and the email arrives as the Firewall's Public IP, because that's the interface facing the internet. I would like to have a way of configuring sendmail/postfix to change that IP address to one that I specify, instead of me having to add a Public IP Address to each of these VMs.

I had though about smtp relay, but not sure if that would do it, which I think  would only include the Firewall's IP until it reaches the SMTP server, then the person getting the actual e-mail would have the SMTP's IP on the header and not the Firewall's IP.
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 40545471
On the juniper you can map the source IP overwrite in the outgoing policy rule.
Presumably you have a policy that maps incoming port 80 go to 10.x.x.y port 80

I think they were call mip objects.

The issue is that I do not understand what IP if you only have one WAN ip do you want the packet to appear?

How MAny Public IPS does your Juniper have access to? How many public IP /Untrust objects/network does it have.
0
 
LVL 2

Author Comment

by:rr100
ID: 40545496
arnold, I have 3 different public ip subnets, only one of them is running through the firewall for VPN, that subnet is a /25, the other IPs are assigned from the switch's public vlan, so I can't route all the IPs using Source NAT (lan -> wan) through firewall, because not all of them passes through firewall.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40545549
I order for the outgoing IP on a packet show up as anything other than the main,lowest firewall WAN IP, your NAT source rule would have to apply.

You can if want try to route the packet through a VPNmout the other site's IP.

What is your goal? You can define a source nat pool and have the mail server IP set there such that the outgoing ip will be one of the ones in the pool on a random basis.

I will repeat that I do not see what exactly your goal is.

As you noted, most of these have their emai provided by others, your gmail based mailing could be rejected as fake since I believe Gmail uses domainkeys/spf such that if a recioient if your gmail sender has/uses domainkeys/spf strict interpretation, the message will be rejected as fake.
0
 

Expert Comment

by:Charles Meruwoma
ID: 41025388
Hi rr100,

Please can you share your haproxy configuration with me? I need to send emails from Exchange 2013 via haproxy.

A sample will suffice....
Thank you


Regards,
Charles
0
 
LVL 76

Expert Comment

by:arnold
ID: 41025572
Charles,

My advice would be to open a question of your own.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Easy CSR creation in Exchange 2007,2010 and 2013
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now