So bottom line, the OPs use-case of TLS on both haproxy and Postfix
does
not appear to make much sense...
Sorry if i wasn't clear. Im just saying each server has a cert
installed, as in general setup. The cert on the haproxy server isn't
currently being used, but its there if needed depending on the solution
to be used. As of now just the submission server cert is plugged into
main.cf. But i don't know if that will even be the case in the finial
result of solving this issue.
In which case the communication between haproxy and Postfix is always
in the clear. And especially on port 587 (STARTTLS, not wrapper mode)
the client will not initiate TLS until it gets through the initial
ESMTP
greeting and EHLO exchanges. So there's no role for any possible
certificates
on the haproxy side, it will remain a cleartext channel.
This is what i assumed. Meaning postfix will deliver the cert it has
(the submission server cert) to the client.
But the client is connected to haproxy server so the haproxy connection
will not validate to the submission server cert.
This is the problem im trying to find best solution for.