>
>
> Server haproxy.example.com:587 accepts public connections and proxies to
> submission.example.com:587

Why forward it via haproxy?
What is wrong with postfix connected to the public IP?



>
> Each server was given its own SSL cert (Let's Encrypt certbot).
>
If you use haproxy TLS support, then you do not need postfix TLS.
You can use mandatory (autostarted TLS) on haproxy and terminate it there
like

client---<TLS>---haproxy---<PLAN>--postfix

You wouldn't need a cert in this case.

But again: I see no reason to do that.
I run postfix with opportunistic TLS support for :25 and mandatory for
submission. And it works.


>
> I did this because i assume default postfix certs are self signed, i
> remember getting some warning in thunderbird which is why i switched
> over to certbot.
>

You can run your own CA, issue cert for postfix and install this CA's cert
to the trusted storage on your client.
Internal CA is useful anyway, especially if you have internal resources
that need HTTPS or use cert-based VPN

I wonder how you installed letsencrypt cert to the submission server
Does it have public IP and shares name with haproxy?




>
> My understanding is the user's client connects to haproxy server, which
> allows them to communication with the submission server, who gives them
> the submission server TLS info which the client wants to verify against
> the haproxy server connection.
>

I didn't get this part.

Either client establishes TLS connection with HAProxy  (which is mandatory
TLS, because HA doesn't support opportunistic) or
or postfix smtpd (which supports both: mandatory (aka SMTPS) and
opportunistic (aka STARTTLS))

http://www.postfix.org/TLS_README.html



> My first guess is copy over the haproxy certs to the submission server
> and point to them in main.cf.


Cert is useless without the private key.
Sharing private keys between two servers is an extremely bad idea IMHO


> But that would break on the first auto
> renewal. My second guess is setup NFS from submission server to haproxy
> server and point main.cf through NFS to the haproxy certs. Id rather
> not. Is there another standard solution?
>

I believe the standard solution is to use postfix and it's TLS support
directly, without any proxy.




>
> What is the best strategy to solve this issue?
>
> Then follow up question is what about SSL ports 993/995? Is that going
> to be even more complicated?
>

Those are POPS and IMAPS (mandatory TLS).
They aren't used by Postfix.

Postfix is MTA only: it doesn't support POP nor IMAP.

Reply via email to