Preserving source IP — Postfix behind Amazon ELB

AWS_ELB_Postfix.png Why run Postfix behind an ELB instead of doing DNS round-robin? Lots of reasons. It’s a lot easier to autoscale, for one. You get increased control over load distribution, you don’t have to wait for DNS propagation. But wait, won’t I lose the source IP since we’ll have to do TCP load balancing? No, of course not — that was a rhetorical question. Here’s how it’s done.

Amazon ELB supports Proxy Protocol. This will write a TCP header that can later be read by applications which support it. Luckily for us, Postfix supports Proxy Protocol in versions 2.10 and above.

Unfortunately, the AWS web console doesn’t have an easy way to enable Proxy Protocol, but it’s pretty easy to accomplish with the AWS CLI tools. First, we need to create a policy:

aws elb create-load-balancer-policy --load-balancer-name YOUR-ELB-HERE --policy-name EnableProxyProtocol  --policy-type-name ProxyProtocolPolicyType --policy-attributes AttributeName=ProxyProtocol,AttributeValue=True

Then, apply the policy:

aws elb set-load-balancer-policies-for-backend-server --load-balancer-name YOUR-ELB-HERE --instance-port 25 --policy-names EnableProxyProtocol

We can check to make sure our changes were applied:

aws elb describe-load-balancers --load-balancer-name YOUR-ELB-HERE

You should see EnableProxyProtocol listed under policies. That’s it for the ELB side, now you just need to enable Proxy Protocol on Postfix. In your /etc/postfix/main.cf you’ll need to add the line:

postscreen_upstream_proxy_protocol = haproxy

And then your service configuration in /etc/postfix.master.cf should look something like this:

smtp  inet  n  —  —  —  1  postscreen
smtpd pass  —  —  —  —  —  smtpd

Restart Postfix and you’re done! You should immediately see proper source IP start to show up in your mail.log.

 
5
Kudos
 
5
Kudos

Now read this

Software Ate My Infrastructure: Two Years on AWS with Ansible, Terraform and Packer part 1

Previously: read about our first year Agari Data has made significant investment into infrastructure as code. Almost two years into this project, we’ve learned some lessons. Our efforts have already yielded dividends by increasing... Continue →