zoraxy icon indicating copy to clipboard operation
zoraxy copied to clipboard
verified publisher icon tobychui

[HELP] Source IP Changed when using tcp stream to mail, have to use a header like x forwarded for?

Open firepked opened this issue 1 year ago • 5 comments

What happened? I am experiencing an issue where the source IP address of incoming email connections is being changed when using a TCP stream. Instead of seeing the original source IP, I receive the IP address of my server. Proxmox Mail Gateway does reject the mails because the spf check fails, since the source adress is changed to my VPS ip.

Describe what have you tried I expected to see the original source IP address in my mail logs, but instead, I see the server’s IP address.

Describe the networking setup you are using I've got a VPS from IONOS where I have installed Zoraxy and Tailscale (VPN) I want to redirect / stream port 25 to internal address.

Are you using the docker build of Zoraxy? No Your Zoraxy version? Zoraxy v.3.1.1 Are you using Cloudflare? No Are your system hosted under a NAT router? No DNS record (if any): not required here

Additional context Is there a header like http proxy has "x-forwarded-from" so I could tell Proxmox Mail Gateway to use it as real ip?

firepked avatar Oct 30 '24 10:10 firepked

@firepked I am not sure what your mail gateway is actually using as determining the source IP address of the incoming email, but here are some information for you regarding your questions

I expected to see the original source IP address in my mail logs

The Stream Proxy operates on the Transport layer of OSI model. The stream proxy listener accept your incoming packet and send it out using the socket that created when you start the stream proxy service. So if your mail gateway is using the TCP packet headers to determine its source IP, then you should not be using the Stream Proxy for mail forwarding but something lower (like network adapter bridge)

Is there a header like http proxy has "x-forwarded-from" so I could tell Proxmox Mail Gateway to use it as real ip?

x-forwarded-for is a HTTP header and if you proxy your mail in Stream Proxy mode, Zoraxy will not be able to modify your HTTP request header and append that for you. Have you tried using HTTP Proxy instead?

tobychui avatar Oct 31 '24 10:10 tobychui

We are suffering from the same situation, getting Server IP in the logs.

skull-candy avatar Feb 05 '25 09:02 skull-candy

I have the same question regarding proxying ssh. It works but I only get the IP of the zoraxy host in destination ssh logs.

baskinsy avatar Nov 01 '25 20:11 baskinsy

@baskinsy Since the TCP connection get proxied through Zoraxy, ip is lost during the proxy process. If you enable proxy protocol support, you should be able to extract the source ip from the request.

I will see if @jemmy1794 can figure out something new for this in the stream proxy module.

tobychui avatar Nov 02 '25 05:11 tobychui

I tried that... Seems sshd cannot read the proxy protocol and connection fails. I also tried to pass sshd through haproxy (zoraxy---tcp---haproxy---sshd) but then I get the zoraxy container IP. I tried also to run zoraxy in host mode in docker-compose.yml and again I am only seeing the VMs IP where zoraxy is running... So no luck. In any case it is not critical.

baskinsy avatar Nov 02 '25 09:11 baskinsy