On Wed, May 19, 2021 at 03:28:03PM -0400, post...@ptld.com wrote:
> > In which case the communication between haproxy and Postfix is
> > always in the clear. And especially on port 587 (STARTTLS, not
> > wrapper mode) the client will not initiate TLS until it gets through
> > the initial ESMTP greeting and EHLO exchanges. So there's no role
> > for any possible certificates on the haproxy side, it will remain a
> > cleartext channel.
>
> This is what I assumed. Meaning postfix will deliver the cert it has
> (the submission server cert) to the client. But the client is
> connected to haproxy server so the haproxy connection will not
> validate to the submission server cert.
You're profoundly confused. TCP-layer connection termination and
resumption via layer-4 proxies is completely transparent at the TLS
layer. The TLS connection is end-to-end from client to Postfix.
The haproxy system just copies raw bytes between client and server,
it is not involved in TLS. The haproxy server will NOT be making
a TLS connection to Postfix, the remote client will do that.
> This is the problem im trying to find best solution for.
There is no problem to be solved.
--
Viktor.
