SMTP Connection Proxying
- Table of Contents
- Overview
- SMTP Connection Proxying
- TLS / STARTTLS
- Connection Reuse
Overview
GreenArrow Proxy serves as a forward proxy between GreenArrow MTA instances and mailbox provider MX servers.
SMTP Connection Proxying
When an instance of GreenArrow is configured to deliver through GreenArrow Proxy, the proxy server is responsible for establishing and maintaining outgoing SMTP connections (similar to using HAProxy).
This means that any given GreenArrow server does not require the outgoing IP addresses to be bound to their operating system. Instead, those outgoing IP addresses will be bound on the container or VM running GreenArrow Proxy.
TLS / STARTTLS
All connections between GreenArrow instances and GreenArrow Proxy use TLS (this is part of the Proprietary GreenArrow Proxy Protocol).
When a remote SMTP connection requests use of TLS (usually due to starttls_use), TLS is established between GreenArrow Proxy and the remote SMTP server. This TLS session will be maintained by GreenArrow Proxy until that remote SMTP connection is closed. If the connection is reused due to reuse_connections, it will continue its existing TLS session, regardless of which GreenArrow instances reuses the connection.
Connection Reuse
GreenArrow Proxy interacts well with the reuse_connections directive.
When a GreenArrow instance requests a new connection, GreenArrow Proxy will first check to see if it has a saved connection that can be used due to reuse_connections (regardless of which GreenArrow instance last used that connection). If one is available, it is used for the requested connection. After the instance has completed its SMTP session, a determination will be made if the connection should continue to be retained, or if it should be closed.
Connections being held open in GreenArrow Proxy (but not currently being used by any GreenArrow instance) will not show up in the Remote Connections on any GreenArrow instance.
View connections saved for reuse
To view a report of connections currently being held for reuse on GreenArrow Proxy, combine the following two commands.
This command “tails” the greenarrow_proxy log:
journalctl -u greenarrow_proxy.service --follow
This command sends the SIGUSR1 signal to greenarrow_proxy, which in turn causes it to print a connections report (to the log we’re tailing above):
systemctl kill --signal=SIGUSR1 greenarrow_proxy.service
This connections report only includes connections that are saved for reuse.