Skip to main content

Using HAProxy for sharing outbound IP addresses

Not only does the Halon MTA natively support the HAProxy (PROXY protocol) for inbound load balancing, it also supports a (lesser known) outbound SMTP proxy feature. Outbound (SMTP client) connections can go out via the HAProxy server, in order to be able to use any of the source IPs configured on the HAProxy. This can be used to let multiple Halon MTA instances share the same IP. It supports both IPv4 and IPv6.

The feature is really easy to configure, either from the YAML configuration (per transport) or from the Pre-delivery script.

  • Configure a proxyprotocol server (the IP and port of your HAProxy server)
  • Select one or more source IP is available on the HAProxy server

This is what it looks like in the Pre-delivery script:

Pre-delivery context
Try([
"proxyprotocol" => ["server" => "192.168.1.2", "port" => 2525],
"sourceip" => [
["address" => "1.2.3.4", "helo" => "smtp4.example.com"],
["address" => "1.2.3.5", "helo" => "smtp5.example.com"],
["address" => "1.2.3.6", "helo" => "smtp6.example.com"],
]]);

This is the HAProxy configuration to use. For extra safety we've added a placeholder for a restricted network access policy.

/etc/haproxy/haproxy.cfg
listen outboundsmtp
acl is_local src 192.168.0.0/16 # access-policy
tcp-request connection reject if !is_local # access-policy
bind 192.168.1.2:2525 accept-proxy
mode tcp
option tcplog
use-server v4 if { src 0.0.0.0/0 }
use-server v6 if { src ::/0 }
server v4 0.0.0.0 source 0.0.0.0 usesrc clientip
server v6 ::: source ::: usesrc clientip

Note that HAProxy cannot drop privileges when using this feature and has to run as root (so remove any global.user directive).