You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
I'm trying to get a setup working that looks like this:
flowchart LR;
sender--internet-->border_smtp
subgraph k8s
border_smtp--intranet-->upstream_smtp
end
upstream_smtp---internet--->recipient
Loading
In this case the border SMTP server is Haraka but the upstream SMTP server is Maddy.
Port 465 works great with SNI for directing connections directly to the upstream, but in the case of STARTTLS variants (25,143,587) a protocol-aware (intercepting) proxy is necessary.
I'd like to avoid having Haraka hold all TLS details or upstream servers (I do realize that's the quickest way to solve being able to send mail via the external domain, Haraka would just send the outgoing mail itself).
So this means that I would like to handle the problem beforeMAIL FROM or queuing time (which rules out smtp_forward and smtp_proxy, if I understand correctly).
Describe the solution you'd like
It looks like smtp_bridge can be modified to solve my problem, as it simply bridges the connection upstream, but right now it only seems to bridge to one other SMTP server for every incoming connection.
I think the solution is to:
Add code to smtp_bridge to choose configuration based on MAIL FROM address (similar to smtp_forward)
Add code to smtp_bridge to forward based on the per-domain configuration
While I'm here I'd like to change smtp_proxy as well so it can be per-domain as well.
I'm willing to write this PR if the over approach is sound!
Describe alternatives you've considered
I've tried to use smtp_forward/smtp_proxy and they seem to require that Haraka terminates the STARTTLS connection.
These could work, but require Haraka to hold all relevant credentials for upstream SMTP servers (and all checks/logic in upstream servers copied into Haraka).
Additional context
I know there are at least a couple ways of hacking my way to a solution:
Extending Haraka to more dynamically retrieve TLS certificates (in my case I'm running in a Kubernetes cluster), and sending email through Haraka.
Loading all relevant TLS certificates and using smtp_forward which already supports per-domain settings.
Would love to hear feedback on those thoughts or any alternatives I have missed.
Also another thing I'd like to hear about is how I can avoid putting SMTP auth credentials directly in the config -- is there a way to load secrets from files or anything more dynamic?
This discussion was converted from issue #3117 on April 22, 2024 05:47.
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Haraka
-
Is your feature request related to a problem? Please describe.
I'm trying to get a setup working that looks like this:
In this case the border SMTP server is Haraka but the upstream SMTP server is Maddy.
Port 465 works great with SNI for directing connections directly to the upstream, but in the case of
STARTTLSvariants (25,143,587) a protocol-aware (intercepting) proxy is necessary.I'd like to avoid having Haraka hold all TLS details or upstream servers (I do realize that's the quickest way to solve being able to send mail via the external domain, Haraka would just send the outgoing mail itself).
So this means that I would like to handle the problem before
MAIL FROMor queuing time (which rules outsmtp_forwardandsmtp_proxy, if I understand correctly).Describe the solution you'd like
It looks like
smtp_bridgecan be modified to solve my problem, as it simply bridges the connection upstream, but right now it only seems to bridge to one other SMTP server for every incoming connection.I think the solution is to:
smtp_bridgeto choose configuration based onMAIL FROMaddress (similar tosmtp_forward)smtp_bridgeto forward based on the per-domain configurationWhile I'm here I'd like to change
smtp_proxyas well so it can be per-domain as well.I'm willing to write this PR if the over approach is sound!
Describe alternatives you've considered
I've tried to use
smtp_forward/smtp_proxyand they seem to require that Haraka terminates the STARTTLS connection.These could work, but require Haraka to hold all relevant credentials for upstream SMTP servers (and all checks/logic in upstream servers copied into Haraka).
Additional context
I know there are at least a couple ways of hacking my way to a solution:
smtp_forwardwhich already supports per-domain settings.Would love to hear feedback on those thoughts or any alternatives I have missed.
Also another thing I'd like to hear about is how I can avoid putting SMTP auth credentials directly in the config -- is there a way to load secrets from files or anything more dynamic?
Beta Was this translation helpful? Give feedback.
All reactions