Deployment
Support of the proxy protocol for correct source IP addresses in Postfix
Motivation
For spam protection, openDesk relies on integrating Postfix and rspamd via the Milter protocol. In this setup, Postfix forwards, among other things, the source IP address of incoming connections to rspamd so that checks such as DKIM, rDNS, and SPF validation can be performed reliably.
In traditional deployments, this source IP corresponds to the actual client IP. In Kubernetes environments, however, applications are typically not exposed directly but are instead operated behind a load balancer or proxy. Without support for the proxy protocol, Postfix therefore only sees the IP address of the upstream load balancer instead of the real client IP.
As a result, rspamd does not receive the correct information for spam detection, and checks may fail or lose reliability. A typical example is the use of a TCP load balancer with proxy protocol enabled, as described,for example, in the STACKIT Kubernetes Engine documentation.
Change
The new Helmfile value technical.postfix.smtpdUpstreamProxyProtocol was introduced with this release.
This setting can be used to activate the HAProxy Proxy Protocol in Postfix so that Postfix can take over the original source IP addresses from the upstream LoadBalancer.
This means that Postfix and rspamd once again have the correct client IP addresses available for spam detection.
Notes for operators
Scenario 1: External spam control before openDesk
If spam control already takes place before openDesk, no changes or migration steps are necessary.
Scenario 2: Use of rspamd within openDesk
If the Helmfile values smtp.spamMilter.* are used to integrate rspamd for spam control, for example, it is recommended to activate the proxy protocol. This is the only way Postfix and rspamd can work with the actual source IP addresses.
This is important:
The configuration must be set identically both in the Kubernetes cluster or LoadBalancer and in openDesk.
The proxy protocol must be either activated or deactivated on both sides.
A misconfiguration will result in Postfix not processing incoming connections correctly.