require_proxy_protocol

Since: Dev Builds Only

The functionality described in this section requires a dev build of KumoMTA. You can obtain a dev build by following the instructions in the Installation section.

Danger

Take care to apply this ONLY in an appropriate peer block, otherwise you risk a variety of security/authentication related bypasses. Furthermore, this changes the semantics of the SMTP session and will prevent non-proxy clients from connecting to the server.

When set to true, incoming SMTP sessions are required to pass an HA Proxy Protocol header to override the effective received_from and/or received_via connection level metadata items.

Since the proxy protocol header must be unilaterally sent by the client before the server can return the SMTP banner (which is normally unilaterally sent by the server), requiring the proxy protocol prevents non-proxy clients from connecting to the listener when this configuration is in effect.

Both V1 and V2 proxy header packets are supported.

If the proxy header is missing, the connection will be torn down and no service will be permitted.

After the proxy header is received and successfully parsed, the ESMTP listener re-evaluates the parameters (especially the via and peer blocks), and triggers smtp_server_get_dynamic_parameters to ensure that all the listener configuration has been updated to match the adjusted via and from addresses.

kumo.start_esmtp_listener {
  -- Always use an appropriate `peer` block to scope the
  -- proxy protocol to networks that you trust at the
  -- highest levels
  peer = {
    ['127.0.0.1'] = {
      require_proxy_protocol = true,
    },
  },
}