reverse PROXY for SMTP servers
to handle client requests, improving security, performance, and scalability.
clients send their requests to the reverse proxy,
which routes them to the appropriate servers and then returns the response,
acting as a single, secure access point.
Key Benefits:
- Security
It can block malicious requests, encrypt traffic,
and protect backend servers from direct attacks. - Performance
It distributes incoming traffic across multiple servers, preventing overload
of a single server and ensuring greater availability. - Scalability
It allows you to add or remove backend servers without service interruption,
offering the ability to handle growing traffic.
HTTP-only reverse proxy (Layer 7)
There are several tools available on the internet; after research, we initially ruled out those that only support the HTTP protocol (Layer 7):
NO Apache
“Oh dear. Take a moment to learn about the technologies you’re dealing with. Email uses SMTP.
Apache uses HTTP. Apache knows absolutely nothing about SMTP. If you want to work with email messages, you’ll need a technology that speaks SMTP.”
– EEAA Commented Aug 18, 2016 at 2:49
NO Caddy
“Caddy cannot proxy TCP, only HTTP over TCP.
Use a reverse proxy that can proxy TCP like Traefik, Nginx, or haproxy, or use this experimental plugin.”
– ElevenNotes Commented Sep 24, 2024
We then focused on the three recommended in the comments: “Traefik, NginX, or HAProxy,” installing and testing them one by one.
Traefik was the first choice.
Most of the tutorials started with Docker, a platform I wanted to avoid and opt for a simple solution, possibly based on one of the Linux package managers, such as YUM for RPM-based distributions like Fedora and CentOS, or APT (Advanced Package Tool), which is used on Debian-based distributions like Ubuntu and Debian.
After a long search, we found this recent article, which describes the type of installation we were looking for: Setup Traefik as a systemd Service.
One note: you need to change the SELinux settings from “Enforcing” to “Permissive.”
Again, after trying two courses on Udemy, we found this excellent course:
Traefik Crash Course (Without Docker)
We managed to get it working by reproducing the examples provided.
Toward the end of the video, the excellent instructor expressed his complete disapproval of this tool:
Traefik Crash Course - 53:50 Summary.
This discouraged us from further testing, leading us to try something else.
NginX was the second choice
In this case, the installation was simpler, using YUM in short:
yum install epel-release nginx nginx-mod-stream nginx-mod-mail
A note: in SELinux, you need to enable relay:
setsebool -P httpd_can_network_relay 1
For the training, we played it safe, with the same instructor as the previous course:
NginX Crash Course (the first part ends after about an hour and twenty minutes).
The instructor is also NOT convinced about this application, particularly the fact that it acts as both a web server and a reverse proxy:
NginX Crash Course - 1:20:10 Summary.
The report ends with “I’ll pick HAProxy over NginX,” so we decided to try HAProxy as well.
Finally, we also tried HAProxy.
Installation turned out to be the easiest thing ever, as it’s a very common application, available in all Linux package managers, for example: yum install haproxy
We’ve also consulted our trusted instructor: HAProxy Crash Course.
It works, but unfortunately, it’s NOT good for SMTP authentication:
“It’s not possible to configure haproxy this way, because haproxy doesn’t support SMTP at all.”
– lukastribus Commented Aug 17, 2023
A standard SMTP server as a reverse proxy
At this point, after two weeks of testing, we realized that
it’s better to use a standard SMTP server as a reverse proxy for other SMTP servers.
It does its job, using only the SMTP protocol, properly authenticates connections,
and can forward requests to other SMTP servers via the “smarhost” function.
In Postfix, in main.cf, as
relayhost = [smarthost_address]:port
In Sendmail, in sendmail.mc, as
define(`SMART_HOST',`mail.example.com')