So, many indicate there is no reason to place ProxMox Mail Gateway behind HAProxy. However, I beg to differ.

  1. HAProxy helps hide postfix so that it is more secure. AKA layers of separation.
  2. Place ProxMox Mail Gateway in DMZ zone and keep the vps server more simple and thus more secure.
  3. Certificate offloading via HAProxy. See this article

Procedure

Step 1 – Configure a public VPS

Configure UFW firewall and Fail2Ban

To secure data, I have chosen to install vpnCloud as outlined here. This server is only going to have port 3210, 25, and 22 open using UFW. So, this before anything else is done it is a good time to lock down the VPS and close any open holes. Also, Fail2Ban is helpful to really prevent brute force type of attacks.

apt packages

Simple on Debian, just run below command.

optional

install sudo so commands run with sudo. Or, simply remove sudo listed in commands below. Note: must run as root!

apt install sudo

Now, it is time to install the basic secure services.

sudo apt install ufw fail2ban

Once done, now it is time to configure the installed components.

UFW configure

default rules

Remember these are really basic and assumes the base server is clean and allows all outbound to leave the firewall. More secure, it could be deny outgoing and then specifically only allow specific ports and/or applications are allowed to leave the server. So, take this for what it is basic setup and adjust per your requirements.

sudo ufw default allow outgoing
sudo ufw default deny incoming
other required rules

Now all incoming ports need to be opened for now all that will be open is port 22. Others will come once all other components are configured. By do this, it prevents accidental ingress of data before any services are properly configured. This is important! Do not make your VPS server a spam server before it is properly configured!!! So, this section only opens SSH. Remember, further things can be done such as limiting what IP’s have access to port 22 as I show below in more secure.

sudo ufw allow 22/tcp

more secure

sudo ufw allow from 192.168.0.4 to any port 22 proto tcp

Now, it is time to enable the firewall.

sudo ufw enable

Finally, server is now secure and the only in is SSH on default port 22. Now to secure further it is a good idea to move SSH to another port like 2221 and secure it in firewall instead. If done change 22 to 2221 or whatever was chosen port. I have added configure SSH for different port.

Install VPNCloud

Step 2 – Configure Postfix

I have attached this article. However, it is not very difficult to configure Postfix to work behind HAProxy

Modify master.cf for proxy settings.

# Exposed SMTP service (postscreen support is needed to support the proxy protocol [search postscreen_upstream_proxy_protocol in main.cf])
smtp      inet  n       -       -       -       1       postscreen
smtpd     pass  -       -       -       -       -       smtpd

Modify main.cf to indicate haproxy settings.

# This is required to support the proxy protocol to acquire the correct source ip address from whoever is connecting to this server
# It's really important to get this information because otherwise ALL your connections will come from your internal ip address
# Guess what you allow to send emails, without question? Thats right! You're $mynetworks. Which means because you cannot get the
# correct source ip address, it permits EVERYBODY TO SEND EMAIL THROUGH YOUR SERVER! You basically become an open relay
postscreen_upstream_proxy_protocol = haproxy
postscreen_upstream_proxy_timeout = 5s

Leave a Reply

Your email address will not be published. Required fields are marked *