Chapter 59 - Proxies
A proxy is an intermediate system through which communication is passed. Proxies may provide a security, availability or load-distribution function.
1. Inbound proxies
Exim has support for receiving inbound SMTP connections via a proxy that uses “Proxy Protocol” to speak to it. To include this support, include “SUPPORT_PROXY=yes” in Local/Makefile.
It was built on the HAProxy specification, found at https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt.
The purpose of this facility is so that an application load balancer, such as HAProxy, can sit in front of several Exim servers to distribute load. Exim uses the local protocol communication with the proxy to obtain the remote SMTP system IP address and port information. There is no logging if a host passes or fails Proxy Protocol negotiation, but it can easily be determined and recorded in an ACL (example is below).
Use of a proxy is enabled by setting the hosts_proxy main configuration option to a hostlist; connections from these hosts will use Proxy Protocol. Exim supports both version 1 and version 2 of the Proxy Protocol and automatically determines which version is in use.
The Proxy Protocol header is the first data received on a TCP connection and is inserted before any TLS-on-connect handshake from the client; Exim negotiates TLS between Exim-as-server and the remote client, not between Exim and the proxy server.
The following expansion variables are usable (“internal” and “external” here refer to the interfaces of the proxy):
proxy_external_address IP of host being proxied or IP of remote interface of proxy proxy_external_port Port of host being proxied or Port on remote interface of proxy proxy_local_address IP of proxy server inbound or IP of local interface of proxy proxy_local_port Port of proxy server inbound or Port on local interface of proxy proxy_session boolean: SMTP connection via proxy
If $proxy_session is set but $proxy_external_address is empty there was a protocol error. The variables $sender_host_address and $sender_host_port will have values for the actual client system, not the proxy.
Since the real connections are all coming from the proxy, and the per host connection tracking is done before Proxy Protocol is evaluated, smtp_accept_max_per_host must be set high enough to handle all of the parallel volume you expect per inbound proxy. With the option set so high, you lose the ability to protect your server from many connections from one IP. In order to prevent your server from overload, you need to add a per connection ratelimit to your connect ACL. A possible solution is:
# Set max number of connections per host LIMIT = 5 # Or do some kind of IP lookup in a flat file or database # LIMIT = ${lookup{$sender_host_address}iplsearch{/etc/exim/proxy_limits}} defer message = Too many connections from this IP right now ratelimit = LIMIT / 5s / per_conn / strict
2. Outbound proxies
Exim has support for sending outbound SMTP via a proxy using a protocol called SOCKS5 (defined by RFC1928). The support can be optionally included by defining SUPPORT_SOCKS=yes in Local/Makefile.
Use of a proxy is enabled by setting the socks_proxy option on an smtp transport. The option value is expanded and should then be a list (colon-separated by default) of proxy specifiers. Each proxy specifier is a list (space-separated by default) where the initial element is an IP address and any subsequent elements are options.
Options are a string <name>=<value>. The list of options is in the following table:
auth authentication method name authentication username pass authentication password port tcp port tmo connection timeout pri priority weight selection bias
More details on each of these options follows:
-
auth: Either “none” (default) or “name”. Using “name” selects username/password authentication per RFC 1929 for access to the proxy. Default is “none”.
-
name: sets the username for the “name” authentication method. Default is empty.
-
pass: sets the password for the “name” authentication method. Default is empty.
-
port: the TCP port number to use for the connection to the proxy. Default is 1080.
-
tmo: sets a connection timeout in seconds for this proxy. Default is 5.
-
pri: specifies a priority for the proxy within the list, higher values being tried first. The default priority is 1.
-
weight: specifies a selection bias. Within a priority set servers are queried in a random fashion, weighted by this value. The default value for selection bias is 1.
Proxies from the list are tried according to their priority and weight settings until one responds. The timeout for the overall connection applies to the set of proxied attempts.
3. Logging
To log the (local) IP of a proxy in the incoming or delivery logline, add “+proxy” to the log_selector option. This will add a component tagged with “PRX=” to the line.