Server haproxy.example.com:587 accepts public connections and proxies to submission.example.com:587
Each server was given its own SSL cert (Let's Encrypt certbot).

Postfix main.cf is using certbot cert for TLS
smtpd_tls_cert_file = /etc/letsencrypt/live/submission.example.com/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/submission.example.com/privkey.pem

I did this because i assume default postfix certs are self signed, i remember getting some warning in thunderbird which is why i switched over to certbot.

My understanding is the user's client connects to haproxy server, which allows them to communication with the submission server, who gives them the submission server TLS info which the client wants to verify against the haproxy server connection.

My first guess is copy over the haproxy certs to the submission server and point to them in main.cf. But that would break on the first auto renewal. My second guess is setup NFS from submission server to haproxy server and point main.cf through NFS to the haproxy certs. Id rather not. Is there another standard solution?

What is the best strategy to solve this issue?

Then follow up question is what about SSL ports 993/995? Is that going to be even more complicated?

Reply via email to