So, many indicate there is no reason to place ProxMox Mail Gateway behind HAProxy. However, I beg to differ.
- HAProxy helps hide postfix so that it is more secure. AKA layers of separation.
- Place ProxMox Mail Gateway in DMZ zone and keep the vps server more simple and thus more secure.
- Certificate offloading via HAProxy. See this article
Step 1 – Configure a public VPS
Configure UFW firewall and Fail2Ban
To secure data, I have chosen to install vpnCloud as outlined here. This server is only going to have port 3210, 25, and 22 open using UFW. So, this before anything else is done it is a good time to lock down the VPS and close any open holes. Also, Fail2Ban is helpful to really prevent brute force type of attacks.
Simple on Debian, just run below command.
install sudo so commands run with sudo. Or, simply remove sudo listed in commands below. Note: must run as root!
apt install sudo
Now, it is time to install the basic secure services.
sudo apt install ufw fail2ban
Once done, now it is time to configure the installed components.
Remember these are really basic and assumes the base server is clean and allows all outbound to leave the firewall. More secure, it could be deny outgoing and then specifically only allow specific ports and/or applications are allowed to leave the server. So, take this for what it is basic setup and adjust per your requirements.
sudo ufw default allow outgoing sudo ufw default deny incoming
other required rules
Now all incoming ports need to be opened for now all that will be open is port 22. Others will come once all other components are configured. By do this, it prevents accidental ingress of data before any services are properly configured. This is important! Do not make your VPS server a spam server before it is properly configured!!! So, this section only opens SSH. Remember, further things can be done such as limiting what IP’s have access to port 22 as I show below in more secure.
sudo ufw allow 22/tcp
sudo ufw allow from 192.168.0.4 to any port 22 proto tcp
Now, it is time to enable the firewall.
sudo ufw enable
Finally, server is now secure and the only in is SSH on default port 22. Now to secure further it is a good idea to move SSH to another port like 2221 and secure it in firewall instead. If done change 22 to 2221 or whatever was chosen port. I have added configure SSH for different port.
Step 2 – Configure Postfix
I have attached this article. However, it is not very difficult to configure Postfix to work behind HAProxy
Modify master.cf for proxy settings.
# Exposed SMTP service (postscreen support is needed to support the proxy protocol [search postscreen_upstream_proxy_protocol in main.cf]) smtp inet n - - - 1 postscreen smtpd pass - - - - - smtpd
Modify main.cf to indicate haproxy settings.
# This is required to support the proxy protocol to acquire the correct source ip address from whoever is connecting to this server # It's really important to get this information because otherwise ALL your connections will come from your internal ip address # Guess what you allow to send emails, without question? Thats right! You're $mynetworks. Which means because you cannot get the # correct source ip address, it permits EVERYBODY TO SEND EMAIL THROUGH YOUR SERVER! You basically become an open relay postscreen_upstream_proxy_protocol = haproxy postscreen_upstream_proxy_timeout = 5s