On Wed, May 19, 2021 at 03:28:03PM -0400, post...@ptld.com wrote:

> > In which case the communication between haproxy and Postfix is
> > always in the clear.  And especially on port 587 (STARTTLS, not
> > wrapper mode) the client will not initiate TLS until it gets through
> > the initial ESMTP greeting and EHLO exchanges.  So there's no role
> > for any possible certificates on the haproxy side, it will remain a
> > cleartext channel.
> 
> This is what I assumed. Meaning postfix will deliver the cert it has
> (the submission server cert) to the client.  But the client is
> connected to haproxy server so the haproxy connection will not
> validate to the submission server cert.

You're profoundly confused.  TCP-layer connection termination and
resumption via layer-4 proxies is completely transparent at the TLS
layer.  The TLS connection is end-to-end from client to Postfix.

The haproxy system just copies raw bytes between client and server,
it is not involved in TLS.  The haproxy server will NOT be making
a TLS connection to Postfix, the remote client will do that.

> This is the problem im trying to find best solution for.

There is no problem to be solved.

-- 
    Viktor.

Reply via email to