On Wed, May 19, 2021 at 03:28:03PM -0400, post...@ptld.com wrote: > > In which case the communication between haproxy and Postfix is > > always in the clear. And especially on port 587 (STARTTLS, not > > wrapper mode) the client will not initiate TLS until it gets through > > the initial ESMTP greeting and EHLO exchanges. So there's no role > > for any possible certificates on the haproxy side, it will remain a > > cleartext channel. > > This is what I assumed. Meaning postfix will deliver the cert it has > (the submission server cert) to the client. But the client is > connected to haproxy server so the haproxy connection will not > validate to the submission server cert.
You're profoundly confused. TCP-layer connection termination and resumption via layer-4 proxies is completely transparent at the TLS layer. The TLS connection is end-to-end from client to Postfix. The haproxy system just copies raw bytes between client and server, it is not involved in TLS. The haproxy server will NOT be making a TLS connection to Postfix, the remote client will do that. > This is the problem im trying to find best solution for. There is no problem to be solved. -- Viktor.