Email Security Blog

Scaling Postfix on AWS with Elastic Load Balancing

Gabriel Ortiz June 24, 2015 How Email Works
Fallback Featured Image

Agari’s mission to solve email phishing often presents unique technical challenges. Our data ingestion process involves coping with large-scale inbound SMTP traffic. We’ve chosen Postfix as our MTA of choice. The traditional way to scale SMTP is simply to maintain MX records for multiple ingestion paths. This works but can be very limiting. Agari’s Amazon Web Services-hosted infrastructure provides some other alternatives. Advantages to using Amazon’s Elastic Load Balancer for handling SMTP traffic include simple load-based autoscaling, load distribution that’s aware of distribution across availability zones and even integration with Route53’s latency-based routing for distributing load across regions. The primary downside to using a TCP load-balancer in front of your MTA is losing the source IP in your mail logs. However, there’s a workaround.

Amazon ELB supports Proxy Protocol. This will write a TCP header that can later be read by applications which support it. Luckily for us, Postfix supports Proxy Protocol in versions 2.10 and above.

Unfortunately, the AWS web console doesn’t have an easy way to enable Proxy Protocol, but it’s pretty easy to accomplish with the AWS CLI tools. First, we need to create a policy:

aws elb create-load-balancer-policy --load-balancer-name YOUR-ELB-HERE --policy-name EnableProxyProtocol --policy-type-name ProxyProtocolPolicyType --policy-attributes AttributeName=ProxyProtocol,AttributeValue=True

Then, apply the policy:

aws elb set-load-balancer-policies-for-backend-server --load-balancer-name YOUR-ELB-HERE --instance-port 25 --policy-names EnableProxyProtocol

We can check to make sure our changes were applied:

aws elb describe-load-balancers --load-balancer-name YOUR-ELB-HERE

You should see EnableProxyProtocol listed under policies. That’s it for the ELB side, now you just need to enable Proxy Protocol on Postfix. In your /etc/postfix/main.cf you’ll need to add the line:

postscreen_upstream_proxy_protocol = haproxy

And then your service configuration in /etc/postfix.master.cf should look something like this:

smtp inet n - - - 1 postscreen smtpd pass - - - - - smtpd

Restart Postfix and you’re done! You should immediately see proper source IP start to show up in your mail.log.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

February 20, 2018 Jacob Rideout

Strengthen DKIM Signatures with DCRUP

In this final post of the DMARC series we’ll discuss the latest crypto updates to…

2 factor authentication

February 15, 2018 Markus Jakobsson

How SMS 2FA Might Leave You Vulnerable to Email Account Takeover

One of the biggest challenges for a security strategy is making it accessible and understandable…

Agari Blog Image

February 13, 2018 Jacob Rideout

The Arrival of ARC

As we mentioned in the first post of this series, with the arrival of ARC,…

Spear Phishing

July 24, 2017 Markus Jakobsson

The Threat Taxonomy: A Working Framework to Describe Cyber Attacks

Imagine going to the doctor and only being able to say “pain” or “sick”. You…

Agari Blog Image

September 28, 2016 Gabriel Ortiz

Software Ate My Infrastructure: 2 Years on AWS with Ansible, Terraform and Packer - Part 2

Agari has made significant investment into infrastructure as code. Almost two years into this project,…

mobile image