# HG changeset patch
# User IBBoard <dev@ibboard.co.uk>
# Date 1582837228 0
# Node ID 84a575614d3ca886f7bea98e2c22a11051d5f7b1
# Parent  469f2ff92df27a644ef7b01c428cb0e6bc925d48
Correct Postfix PROXY listening (and sending)

Listen on the PROXY address but bind to the public address so
that we don't break SPF checking.

Use "smtpd_…" setting when we're using smtpd not postscreen

May not be fixed because we're still seeing errors, but it should
be correct. Investigating "unsupported protocol type: PROXY TCP4".

diff -r 469f2ff92df2 -r 84a575614d3c modules/postfix/templates/master.cf.epp
--- a/modules/postfix/templates/master.cf.epp	Tue Feb 25 21:02:48 2020 +0000
+++ b/modules/postfix/templates/master.cf.epp	Thu Feb 27 21:00:28 2020 +0000
@@ -30,18 +30,21 @@
 <%- if $mailserver_proxy != undef { -%>
 [<%= $mailserver_proxy %>]:smtp      inet  n       -       n       -       1       postscreen
   -o postscreen_upstream_proxy_protocol=haproxy
+  -o smtp_bind_address6=<%= $mailserver_ip %>
   -o receive_override_options=no_address_mappings
   -o smtpd_sasl_auth_enable=no
 
 [<%= $mailserver_proxy %>]:smtps     inet  n       -       n       -       -       smtpd
-  -o postscreen_upstream_proxy_protocol=haproxy
+  -o smtpd_upstream_proxy_protocol=haproxy
+  -o smtp_bind_address6=<%= $mailserver_ip %>
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o milter_macro_daemon_name=ORIGINATING
 
 [<%= $mailserver_proxy %>]:submission inet n       -       n       -       -       smtpd
-  -o postscreen_upstream_proxy_protocol=haproxy
+  -o smtpd_upstream_proxy_protocol=haproxy
+  -o smtp_bind_address6=<%= $mailserver_ip %>
   -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject