HAProxy

You can install HAProxy in front of any number of TUXGUARD Mail Gateway workers and have it load balance the connections. TUXGUARD Mail Gateway has built-in support for the HAProxy PROXY protocol which ensures that TUXGUARD Mail Gateway sees the correct external IP address and port instead of the IP address and port of the HAProxy host.

You must configure TUXGUARD Mail Gateway with the IP addresses of any HAProxy instances in the HAProxy hosts setting for this to work correctly.

If you connect to TUXGUARD Mail Gateway from any host listed as a HAProxy host, it will not send an SMTP banner, instead it expects a PROXY command to be sent at which point it will reset the connection attributes accordingly and then send the SMTP banner to start the session.

If no PROXY command is received within 30 seconds a ‘421 PROXY timeout’ SMTP response will be sent.

Example HAProxy Configuration

Here is a snippet from haproxy.cfg for typical port 25 and port 587 listeners that point to TUXGUARD Mail Gateway hosts.

listen smtp :25
        mode tcp
        option tcplog
        option tcp-check
        tcp-check expect rstring ^220\
        tcp-check send QUIT\r\n
        tcp-check expect rstring ^221\
        balance roundrobin
        server <name> <ip>:25 check-send-proxy check inter 60s send-proxy
        ...

listen smtp_submission :587
        mode tcp
        option tcplog
        option tcp-check
        option tcp-check
        tcp-check expect rstring ^220\
        tcp-check send QUIT\r\n
        tcp-check expect rstring ^221\
        balance roundrobin
        server <name> <ip>:587 check-send-proxy check inter 60s send-proxy
        ...