.row &%local_scan_timeout%& "timeout for &[local_scan()]&"
.row &%message_size_limit%& "for all messages"
.row &%percent_hack_domains%& "recognize %-hack for these domains"
+.row &%proxy_protocol_timeout%& "timeout for proxy protocol negotiation"
.row &%spamd_address%& "set interface to SpamAssassin"
.row &%strict_acl_vars%& "object to unset ACL variables"
.row &%spf_smtp_comment_template%& "template for &$spf_smtp_comment$&"
&%queue_list_requires_admin%& and &%commandline_checks_require_admin%&.
+.new
+.option proxy_protocol_timeout main time 3s
+.cindex proxy "proxy protocol"
+This option sets the timeout for proxy protocol negotiation.
+For details see section &<<SECTproxyInbound>>&.
+.wen
+
+
.option qualify_domain main string "see below"
.cindex "domain" "for qualifying addresses"
.cindex "address" "qualification"
The Proxy Protocol header is the first data received on a TCP connection
and is inserted before any TLS-on-connect handshake from the client; Exim
negotiates TLS between Exim-as-server and the remote client, not between
-Exim and the proxy server.
+Exim and the proxy server. The Proxy Protocol header must be received
+within &%proxy_protocol_timeout%&, which defaults to 3s.
The following expansion variables are usable
(&"internal"& and &"external"& here refer to the interfaces
than the provious behaviour of always loading at startup time for every
connection. This helps particularly for the CA bundle.
+12. Proxy Protocol Timeout is configurable via "proxy_protocol_timeout"
+ main config option.
+
Version 4.94
------------
int proxy_external_port = 0;
uschar *proxy_local_address = NULL;
int proxy_local_port = 0;
+int proxy_protocol_timeout = 3;
#endif
uschar *prvscheck_address = NULL;
extern int proxy_external_port; /* Port on remote interface of proxy */
extern uschar *proxy_local_address; /* IP of local interface of proxy */
extern int proxy_local_port; /* Port on local interface of proxy */
+extern int proxy_protocol_timeout; /* Timeout for proxy negotiation */
extern BOOL proxy_session; /* TRUE if receiving mail from valid proxy */
#endif
#define WAIT_NAME_MAX 50
-/* Wait this long before determining that a Proxy Protocol configured
-host isn't speaking the protocol, and so is disallowed. Can be moved to
-runtime configuration if per site settings become needed. */
-#ifdef SUPPORT_PROXY
-#define PROXY_NEGOTIATION_TIMEOUT_SEC 3
-#endif
-
/* Fixed option values for all PCRE functions */
#define PCRE_COPT 0 /* compile */
/* Options for smtp_write_command */
-enum {
+enum {
SCMD_FLUSH = 0, /* write to kernel */
SCMD_MORE, /* write to kernel, but likely more soon */
SCMD_BUFFER /* stash in application cmd output buffer */
{ "print_topbitchars", opt_bool, {&print_topbitchars} },
{ "process_log_path", opt_stringptr, {&process_log_path} },
{ "prod_requires_admin", opt_bool, {&prod_requires_admin} },
+#ifdef SUPPORT_PROXY
+ { "proxy_protocol_timeout", opt_time, {&proxy_protocol_timeout} },
+#endif
{ "qualify_domain", opt_stringptr, {&qualify_domain_sender} },
{ "qualify_recipient", opt_stringptr, {&qualify_domain_recipient} },
{ "queue_domains", opt_stringptr, {&queue_domains} },
BOOL yield = FALSE;
os_non_restarting_signal(SIGALRM, command_timeout_handler);
-ALARM(PROXY_NEGOTIATION_TIMEOUT_SEC);
+ALARM(proxy_protocol_timeout);
do
{
primary_hostname = myhost.test.ex
hosts_proxy = HOSTIPV4
+# default timeout is 3s, speed up the timeout test here
+proxy_protocol_timeout = 1s
queue_only
# ----- Main settings -----
exim -bd -DSERVER=server -oX PORT_D
****
#
-# non-prox plain receive
+### non-prox plain receive
client 127.0.0.1 PORT_D
??? 220
HELO clientname
??? 221
****
#
-# protocol v1 plain receive
+### protocol v1 plain receive
client HOSTIPV4 PORT_D
PROXY TCP4 127.0.0.2 127.42.42.42 64000 25
??? 220
#
#
#
-# protocol v2 plain receive
+### protocol v2 plain receive
client HOSTIPV4 PORT_D
>>> \x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A\x21\x11\x00\x0c\x7f\x00\x00\x02\x7f\x2a\x2a\x2a\xc2\x95\x04\x01
??? 220
#
#
#
+### proxy timeout
+client HOSTIPV4 PORT_D
+??? 220
+PROXY TCP4 127.0.0.2 127.42.42.42 64000 25
+??? 503
+QUIT
+??? 221
+****
killdaemon
no_msglog_check
.
QUIT
****
+### proxy timeout
+exim -bh HOSTIPV4
+:sleep:3
+PROXY TCP4 127.0.0.2 127.42.42.42 64000 25
+QUIT
+****
--- /dev/null
+### non-prox plain receive
+### protocol v1 plain receive
+### protocol v2 plain receive
+### proxy timeout
+
+******** SERVER ********
+### non-prox plain receive
+### protocol v1 plain receive
+### protocol v2 plain receive
+### proxy timeout
>>> host in helo_accept_junk_hosts? no (option unset)
>>> clientname in helo_lookup_domains? no (end of list)
>>> using ACL "r_acl"
->>> processing "accept" (TESTSUITE/test-config 20)
+>>> processing "accept" (TESTSUITE/test-config 22)
>>> check logwrite = proxy session: $proxy_session
>>> = proxy session: no
LOG: proxy session: no
LOG: no host name found for IP address 127.0.0.2
>>> clientname in helo_lookup_domains? no (end of list)
>>> using ACL "r_acl"
->>> processing "accept" (TESTSUITE/test-config 20)
+>>> processing "accept" (TESTSUITE/test-config 22)
>>> check logwrite = proxy session: $proxy_session
>>> = proxy session: yes
LOG: proxy session: yes
LOG: no host name found for IP address 127.0.0.2
>>> clientname in helo_lookup_domains? no (end of list)
>>> using ACL "r_acl"
->>> processing "accept" (TESTSUITE/test-config 20)
+>>> processing "accept" (TESTSUITE/test-config 22)
>>> check logwrite = proxy session: $proxy_session
>>> = proxy session: yes
LOG: proxy session: yes
>>> end of ACL "r_acl": ACCEPT
>>> host in ignore_fromline_hosts? no (option unset)
LOG: 10HmaZ-0005vi-00 <= a@test.ex H=(clientname) [127.0.0.2]:1115 P=smtp PRX=ip4.ip4.ip4.ip4 S=sss
+### proxy timeout
+>>> host in hosts_connection_nolog? no (option unset)
+>>> host in host_lookup? no (option unset)
+>>> host in host_reject_connection? no (option unset)
+>>> host in sender_unqualified_hosts? no (option unset)
+>>> host in recipient_unqualified_hosts? no (option unset)
+>>> host in helo_verify_hosts? no (option unset)
+>>> host in helo_try_verify_hosts? no (option unset)
+>>> host in helo_accept_junk_hosts? no (option unset)
******** SERVER ********
### non-prox plain receive
### protocol v1 receive
### protocol v2 receive
+### proxy timeout
+### non-prox plain receive
Connecting to 127.0.0.1 port 1225 ... connected
??? 220
<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
??? 221
<<< 221 myhost.test.ex closing connection
End of script
+### protocol v1 plain receive
Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
>>> PROXY TCP4 127.0.0.2 127.42.42.42 64000 25
??? 220
??? 221
<<< 221 myhost.test.ex closing connection
End of script
+### protocol v2 plain receive
Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
>>> \x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A\x21\x11\x00\x0c\x7f\x00\x00\x02\x7f\x2a\x2a\x2a\xc2\x95\x04\x01
??? 220
??? 221
<<< 221 myhost.test.ex closing connection
End of script
+### proxy timeout
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> PROXY TCP4 127.0.0.2 127.42.42.42 64000 25
+??? 503
+<<< 503 Command refused, required Proxy negotiation failed
+>>> QUIT
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+
+******** SERVER ********
+### non-prox plain receive
+### protocol v1 plain receive
+### protocol v2 plain receive
+### proxy timeout
**** SMTP testing: that is not a real message id!
+221 myhost.test.ex closing connection\r
+### proxy timeout
+
+**** SMTP testing session as if from host ip4.ip4.ip4.ip4
+**** but without any ident (RFC 1413) callback.
+**** This is not for real!
+
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+503 Command refused, required Proxy negotiation failed\r
221 myhost.test.ex closing connection\r
******** SERVER ********
### non-prox plain receive
### protocol v1 receive
### protocol v2 receive
+### proxy timeout
git://git.exim.org / users / heiko / exim.git / commitdiff