i'm playing with haproxy, as said last night the proxy sent is outside of the ssl initialisation
but now i'm wondering do i have to somehow try to read that line at when the tls socket is created in haraka?
thing is since haraka is initialised with the tls socket on the port 465 i can't get a plain text at first right?
_smf_
DarkSorrow: no - that's not what we meant.
PROXY will be sent after the connection is secured as 465 starts in SSL mode.
DarkSorrow
but the proxy isn't sent after, and from some post i was reading about haproxy
the dev there were kinda saying it should be sent before since its not suppose to depend on the protocol
i think they used the term protocol agnostic :o
_smf_
No idea TBH - you're going to have to work it out for yourself.
DarkSorrow
but then i can still try to see if i can send it after but
yeah yeah but i'd like to not do it for me only and be able to put it in the main haraka if it works :D
_smf_
Cool
DarkSorrow
but i suppose you can't "upgrade" the connection after its made if i try to read the proxy line before right?
cause i'm reading the server.js code
_smf_
I don't see why not. Going to require some open-heart surgery in server.js though.
You'll have to change 465 to start unencrypted (like a normal SMTP port).
Then in proxy_respond() you'll have to detect if port 465 is the current port and then call socket.upgrade().
Or s]omething like that
DarkSorrow
mmh i think i need to see cause the initialisation of the socket for the port 465 is in server.js but the proxy and all is in the connect
that would somehow change the place where the CreateServer would be made
unless maybe there is a flag to say that haproxy is active thanks to that file haproxy_hosts right?
but i don't want to "duplicate" code tho :x
_smf_
Yeah - good point.
There's a chicken-and-egg problem there.
You can't know if the you're talking to an HAProxy host until you get a connection.
At which point - it's kinda too late as 465 will be a TLS socket at that point based on how it's initialized in server.js
Jeez - I'm glad I don't need 465! ;-)
DarkSorrow
xD
yeah just i'm suppose to make it compatible with every kind of shit i find so well :D
SynchroM joined the channel
mmmh each connection should get inside the "Server.get_smtp_server" right?
or this is the initialisation?
yeah its at first i guess mmmh
is there some socket upgrade already made that can be called in the connection.js
normally i can use the same thing that is used to do the starttls no?
this.client.upgrade(
but it doesn't work it seems after its telling me i'm not on a secure port :o
_smf_
this.client.upgrade() was what I was thinking of earlier.
DarkSorrow
yeah i put that in the connection.js but it seems that its processing the next line that is the ssl in the process_line and giving me a this.respond(501, 'SSL attempted over a non-SSL socket');
but mmmh
_smf_
You get that if you connect to Haraka via HAProxy?
DarkSorrow
yes
i'm in the cmd_proxy
_smf_
Then it *isn't* sending PROXY first then is it?
So either it's not configured correctly; or your information is wrong.
DarkSorrow
i'm not sure what you mean
i wanted to see what was sent so i took out the code that forced the connection tls in the server
and let the port 465 get in the cmd_proxy
and there i checked if the destination port was 465 then i made a socket.upgrade
seems with the tls.createserver it doesn't work too xD
SynchroM has quit
no ok its cause i had check-ssl option D=
SynchroM joined the channel
SynchroM has quit
SynchroM joined the channel
SynchroM has quit
well atm i just have a "hack" to prevent the wait of the proxy line if its on the socket 465 because changeing the rest would mean changeing a lot of code in the connection somehow =/
i'm just checking if its the dst port to wait for the haproxy, i'm aware its written in the doc that we should wait for it but if we wait on that port the server just doesn't work
not sure if i should do a pr nonethe less since because of it it doesn't allow the proxy to work anyway
i put it and you decide later D=? i suppose it'll be a bigger work anyway to redo some connection code, but i read that in the future (unknown time) haproxy should allow to send the proxy protocol after the negotiation
but there is no date so well :D
otherwise i can redirect the ssl and make it in clear when i pass it to haraka but haraka doesn't accept auth if its not a "secure" connection right?
cek
read code.
DarkSorrow
i lost my eyes reading ssl :(
dopesong_ joined the channel
_smf_
DarkSorrow: That wouldn't be too good anyway. One of the plusses of having Haraka support the HAProxy PROXY protocol is that it means you could put the HAProxy host anywhere (e.g. not on the local LAN) and it would still 'just work'. If you terminated SSL at the HAProxy and send the remainder in the clear then you're creating an obvious flaw if HAProxy is used.
You might as well just point the clients on 465 directly to a Haraka instance rather than at HAProxy at that point.
EyePulp joined the channel
DarkSorrow
well the problem is that the port 465 is used by prestashop since its based on that phpmail crap
and it doesn't work with starttls x_x
but yeah its a bit annoying atm
cause well i suppose doing it this way i'll just put iptable infront of a special port
and just use the ssl on haproxy and redirect it in clear to a specific port of haraka, since only my haproxy would access the haraka servers
DarkSorrow has quit
DoubleMalt joined the channel
teknix_ joined the channel
chazomaticus joined the channel
chazomaticus
anyone else noticing spf test failures? The "mod_redirect, false" test fails for me, looks like maybe aexp.com, which is what the test hits, now has invalid SPF records?
ultimatt1
check with another SPF implementation, IIRC, there's a parsing bug lurking in our SPF