Server haproxy.example.com:587 accepts public connections and proxies to
submission.example.com:587
Each server was given its own SSL cert (Let's Encrypt certbot).
Postfix main.cf is using certbot cert for TLS
smtpd_tls_cert_file =
/etc/letsencrypt/live/submission.example.com/fullchain.pem
smtpd_tls_key_file =
/etc/letsencrypt/live/submission.example.com/privkey.pem
I did this because i assume default postfix certs are self signed, i
remember getting some warning in thunderbird which is why i switched
over to certbot.
My understanding is the user's client connects to haproxy server, which
allows them to communication with the submission server, who gives them
the submission server TLS info which the client wants to verify against
the haproxy server connection.
My first guess is copy over the haproxy certs to the submission server
and point to them in main.cf. But that would break on the first auto
renewal. My second guess is setup NFS from submission server to haproxy
server and point main.cf through NFS to the haproxy certs. Id rather
not. Is there another standard solution?
What is the best strategy to solve this issue?
Then follow up question is what about SSL ports 993/995? Is that going
to be even more complicated?
