7

I've got haproxy and need to provide smtp to servers which does not have direct connection.

Here is portion of my config:

listen smtp     10.12.23.10:3025
    mode tcp
    server smtp     172.30.33.12:25
    #tcp-request inspect-delay 2s
    acl white_list src 10.146.5.247 10.146.5.201
    tcp-request content accept if white_list
    tcp-request content reject

Any attempt to connect to the port are rejected. If I remove line tcp-request content reject - works for everyone, but haproxy by default accepts everything. What is correct way of letting in only two or more servers in?

I've tried following lines as well:

tcp-request content reject unless whitelist
tcp-request content reject if !whitelist

I have haproxy 1.4.18, if helps.

quanta
  • 51,413
  • 19
  • 159
  • 217
sashk
  • 334
  • 1
  • 9
  • 18
  • Do you have any NATing done before the clients and haproxy? Can you confirm that the requests are really coming from the indicated source IPs? `tcpdump` or `wireshark` can confirm this to you on haproxy node. – Khaled Jan 10 '12 at 10:04
  • @Khaled there is no NATing between hosts. Requests are coming from those IPs. – sashk Jan 10 '12 at 13:35

2 Answers2

4

The con below works as expected for me on haproxy 1.4.15.

listen smtp   :3025
    mode tcp
    server smtp  192.168.1.2:25
    acl white_list src 127.0.0.1 192.168.1.205
    tcp-request inspect-delay 2s
    tcp-request content accept if white_list
    tcp-request content reject

You can even remove the inspect delay line, but the clients would be rejected after the "timeout connect". 

listen smtp   :3025
    mode tcp
    server smtp  192.168.1.2:25
    acl white_list src 127.0.0.1 192.168.1.205
    timeout connect 1s
#    tcp-request inspect-delay 2s
    tcp-request content accept if white_list
    tcp-request content reject
Bart De Vos
  • 17,911
  • 6
  • 63
  • 82
Baptiste
  • 41
  • 1
0

Upgrading to haproxy 1.4.22 resolved issue.

sashk
  • 334
  • 1
  • 9
  • 18