How to properly send e-mails behind a HAProxy LAN server pool?

Hey everyone,
I noticed when I send out emails through PHP or through the server's console the e-mails are sent out from the firewall's public IP.

Current setup is:
1 juniper firewall
2 haproxy servers (load balancers, active/backup)
4 virtual servers (each site)

The firewall's public side is: 70.x.x.10, and the LAN IP is and also
Both haproxy servers have a public NIC and private NIC
All the virtual servers (running CentOS 6.5 Linux) have 1 NIC configured with a LAN IP address (10.0.1.x and 10.0.50.x), gateway matches the subnet.
The hostname for each server is a FQDN pointing to the site's Public IP.

All traffic is directed to the HAProxy IP (site specific), where it has a pool of 4 LAN IP (servers) per site.
The actual e-mail accounts are not hosted on these virtual servers, they are either on gmail servers or another provider.

When sending out an e-mail from any virtual server the "client-ip" and "Received: from" on the e-mail's header is the firewall's public ip: 70.x.x.10. Which makes sense because it only comes in through HAProxy, but it doesn't go out through it.
sendmail is install and running with default configuration, no changes so far.

I would like suggestions on what I can do to have the e-mail headers to list the actual website's IP address and not the firewall's public ip for every site. I'm researching on sendmail options, but still nothing.

Hopefully I made it clear. Let me know your thoughts. Thank you very much in advance!
Richard RAsked:
Who is Participating?
On the juniper you can map the source IP overwrite in the outgoing policy rule.
Presumably you have a policy that maps incoming port 80 go to 10.x.x.y port 80

I think they were call mip objects.

The issue is that I do not understand what IP if you only have one WAN ip do you want the packet to appear?

How MAny Public IPS does your Juniper have access to? How many public IP /Untrust objects/network does it have.
You need to add to your php code an addition of an X-header to revord the information you Want I.e. Hashed website/username (this way you can identify, but to anyone else it will be meaningless. Do not play with Received: as it will be clear that they are inconsistent.
Richard RAuthor Commented:
arnold, thanks, but I'm not sure that's the way I'm looking at this. At the moment the server is on a LAN, so all traffic is going out through the firewall's public IP, I would like to somehow configure sendmail or postfix to send every email from a different IP (website's public ip). Hard coding headers on PHP can't be a solution because the server's command line wouldn't be affected by it, now if the MTA is configured to route through different IP I think that would work, but I would need suggestions on how to do that or if there's a better way of making this happen. But thanks for now!
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

You would need to configure masquerade, but that will complicate your php.
A website is an a mail source, such that it is technically meaningless.

Does the sendmail/postfix system reside on a system that has all the IPs?
Richard RAuthor Commented:
The sendmail/postfix is currently residing on the VM with a LAN IP address of,  there are 4 VMs with the same setup (sendmail/postfix and different LAN IP). The HAProxy Load Balancer is the system that has all the IPs.
I was thinking more of a system wide configuration and not just for PHP.
The origin of the message is only relavent when using domainkeys or spf such that your WAN IPs would need to be authorized by the DNSbrecord in spf and for domain keys, you would need to also have the public key to decrypt data in the headers for verification.

no one is expecting to receive an email originating from a website.

Your mailservers, are the local postoffice where letters, packages are dropped off.

the only way to achieve what you want is to have each site on their own VM with a local mail server that have smarthost routing out to your central mailserver.
The VM name will need to match the name you want reflected in the Received lines.
Richard RAuthor Commented:
The SPF is configured with the proper IPs. And I do understand that no one is expecting an email from a website.
So your suggestion would be configuring sendmail/postfix relay option? if I understood it correctly.
Actually, my suggestion is to leave it alone, but to easily identify the source would be to add an X header.

I do not believe I understand what/why you are looking at this.

Not sure why you are using the haproxies in a configuration bypassing your firewall.

How many public IPs do you have and what system has them firewall or haproxy?

On a junioer, you can define outgoing mapping I.e. The reverse side of port/ip forwarding.

I.e. If source of packet is the outgoing packet on the wan side will be 70.x.y.z for .4 it will be 70.x.z.y
Richard RAuthor Commented:
arnold, the haproxy servers are just the load balancers that I'm using to balance traffic between 4 different web servers on a LAN. The juniper firewall doesn't come first because it's mainly acting as the LAN router and as the VPN device. I guess you can forget the HAProxies as I mentioned them to describe the setup I'm using.

My issue is that all of these 4 balanced VMs are sending emails from the LAN (because they only have a Private IP), and the email arrives as the Firewall's Public IP, because that's the interface facing the internet. I would like to have a way of configuring sendmail/postfix to change that IP address to one that I specify, instead of me having to add a Public IP Address to each of these VMs.

I had though about smtp relay, but not sure if that would do it, which I think  would only include the Firewall's IP until it reaches the SMTP server, then the person getting the actual e-mail would have the SMTP's IP on the header and not the Firewall's IP.
Richard RAuthor Commented:
arnold, I have 3 different public ip subnets, only one of them is running through the firewall for VPN, that subnet is a /25, the other IPs are assigned from the switch's public vlan, so I can't route all the IPs using Source NAT (lan -> wan) through firewall, because not all of them passes through firewall.
I order for the outgoing IP on a packet show up as anything other than the main,lowest firewall WAN IP, your NAT source rule would have to apply.

You can if want try to route the packet through a VPNmout the other site's IP.

What is your goal? You can define a source nat pool and have the mail server IP set there such that the outgoing ip will be one of the ones in the pool on a random basis.

I will repeat that I do not see what exactly your goal is.

As you noted, most of these have their emai provided by others, your gmail based mailing could be rejected as fake since I believe Gmail uses domainkeys/spf such that if a recioient if your gmail sender has/uses domainkeys/spf strict interpretation, the message will be rejected as fake.
Charles MeruwomaCommented:
Hi rr100,

Please can you share your haproxy configuration with me? I need to send emails from Exchange 2013 via haproxy.

A sample will suffice....
Thank you


My advice would be to open a question of your own.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.