So bottom line, the OPs use-case of TLS on both haproxy and Postfix does
not appear to make much sense...

Sorry if i wasn't clear. Im just saying each server has a cert installed, as in general setup. The cert on the haproxy server isn't currently being used, but its there if needed depending on the solution to be used. As of now just the submission server cert is plugged into main.cf. But i don't know if that will even be the case in the finial result of solving this issue.


In which case the communication between haproxy and Postfix is always
in the clear.  And especially on port 587 (STARTTLS, not wrapper mode)
the client will not initiate TLS until it gets through the initial ESMTP greeting and EHLO exchanges. So there's no role for any possible certificates
on the haproxy side, it will remain a cleartext channel.

This is what i assumed. Meaning postfix will deliver the cert it has (the submission server cert) to the client. But the client is connected to haproxy server so the haproxy connection will not validate to the submission server cert.

This is the problem im trying to find best solution for.

Reply via email to