Bug 1370455
| Summary: | postfix: haproxy proxy SMTPS load balancing doesn't work | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ramesh Sahoo <rsahoo> | ||||||||||||
| Component: | postfix | Assignee: | Jaroslav Škarvada <jskarvad> | ||||||||||||
| Status: | CLOSED ERRATA | QA Contact: | Alois Mahdal <amahdal> | ||||||||||||
| Severity: | medium | Docs Contact: | |||||||||||||
| Priority: | medium | ||||||||||||||
| Version: | 7.2 | CC: | amahdal, anderson.gomes, bperkins, kvolny, olysonek, psklenar, rsahoo, thozza | ||||||||||||
| Target Milestone: | rc | Keywords: | FastFix, Patch | ||||||||||||
| Target Release: | 7.2 | ||||||||||||||
| Hardware: | x86_64 | ||||||||||||||
| OS: | Linux | ||||||||||||||
| Whiteboard: | |||||||||||||||
| Fixed In Version: | postfix-2.10.1-7.el7 | Doc Type: | If docs needed, set a value | ||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||
| Clone Of: | Environment: | ||||||||||||||
| Last Closed: | 2018-10-30 09:34:56 UTC | Type: | Bug | ||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||
| Documentation: | --- | CRM: | |||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
| Embargoed: | |||||||||||||||
| Bug Depends On: | |||||||||||||||
| Bug Blocks: | 1420851, 1549614 | ||||||||||||||
| Attachments: |
|
||||||||||||||
|
Description
Ramesh Sahoo
2016-08-26 11:23:09 UTC
Created attachment 1201164 [details]
upstream patch
I'm attaching the upstream patch. I tested it and it works.
However, I think that the output of openssl client which you are seeing is caused by misconfiguration, rather than this bug. I encountered it myself as well, while trying to reproduce the bug. Can you post your whole haproxy.cfg, /etc/postfix/master.cf and /etc/postfix/main.cf?
I'll attach configuration soon. Created attachment 1201576 [details]
haproxy.cfg
HaProxy configuration
Created attachment 1201577 [details]
master.cf
Postfix master.cf
Created attachment 1201578 [details]
main.cf
Postfix main.cf
All requested configuration files attached. Created attachment 1201603 [details]
postfix master patch
You need to tell Postfix, where your private key is. Apply the attached patch to /etc/postfix/master.cf (where /etc/postfix/postfix-key.pem is your private key),
restart Postfix and HAProxy, and then you should see the actual buggy behaviour:
After the first connection using openssl s_client, since smtpd started, the connection hangs with the output 'CONNECTED(00000003)'. If you terminate openssl client and try to connect again, it succeeds. The patch eliminates the initial hang after smtpd is started.
Hello after I applied the patch, I still the same behavior in RHEL7.2 [root@cls1 haproxy]# openssl s_client -connect localhost:10465 CONNECTED(00000003) 139841599666080:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 247 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- [root@cls1 haproxy]# openssl s_client -connect localhost:465 CONNECTED(00000003) 140684749150112:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 247 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- master.cf; [root@cls1 postfix]# egrep -v $'^[ \t]*(#|$)' master.cf smtp inet n - n - - smtpd smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_tls_cert_file=/etc/postfix/postfix_cert.pem -o smtpd_tls_key_file=/etc/postfix/postfix_key.pem -o smtpd_upstream_proxy_protocol=haproxy pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache [root@cls1 postfix]# netstat -ntlup | egrep 'master|10465' tcp 0 0 127.0.0.1:465 0.0.0.0:* LISTEN 3430/master tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3430/master tcp 0 0 127.0.0.1:10465 0.0.0.0:* LISTEN 3318/haproxy When you run openssl s_client -connect localhost:10465 does it exit immediately, or is there a 30+ seconds delay? Can you try if running the command for the second time changes anything? There is no delay/wait for 30 seconds, I get response immediately within few milliseconds. The patch works for me. For reporter: try whether your TLS is working, i.e. disable haproxy by commenting out the following line in your master.cf: -o smtpd_upstream_proxy_protocol=haproxy And then try to connect directly with s_client to the port 465: $ openssl s_client -connect localhost:465 If it doesn't work, there is probably problem with your TLS certificate or TLS is misconfigured on your machine. Also for haproxy to work I had to tweak SELinux, e.g.: # setsebool -P haproxy_connect_any 1 Reviewed the patch and re-run test suite. No problems found. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3085 |