On 05-19-2021 3:28 pm, IL Ka wrote:
Why forward it via haproxy?
What is wrong with postfix connected to the public IP?
Load balancing.
+--------------+
| email client |
+--------------+
|
+--------------+
| haproxy | ---------+
+--------------+ |
| |
+--------------+ +--------------+
| submission 1 | | submission 2 |
+--------------+ +--------------+
If you use haproxy TLS support, then you do not need postfix TLS.
You can use mandatory (autostarted TLS) on haproxy and terminate it
there like
client---<TLS>---haproxy---<PLAN>--postfix
Okay, i will explore doing it that way. Turn on TLS in haproxy and
disable it in postfix.
But if i do that then don't i prevent clients who dont TLS from
connecting?
I run postfix with opportunistic TLS support for :25 and mandatory for
submission. And it works.
I am only doing this for submission:587 and letting MX records balance
port 25.
I wonder how you installed letsencrypt cert to the submission server
Does it have public IP and shares name with haproxy?
Yes every server has a public IP and FQDN hostname, i just created a
cert in --standalone mode.
No the public doesn't see the submission server hostname because they
are connecting to haproxy.
The servers don't share hostname, just top level domain like
haproxy.example.com and submission.example.com.
My understanding is the user's client connects to haproxy server,
which
allows them to communication with the submission server, who gives
them
the submission server TLS info which the client wants to verify
against
the haproxy server connection.
I didn't get this part.
Maybe i don't fully understand how certs work, aren't they linked to a
hostname?
If you made a cert on submission.example.com then moved it to the
haproxy.example.com server would it still work?
Doesn't the client validate the certificate host against the connection?
Wouldn't they see the cert is only valid for submission.example.com and
since they are connected to haproxy.example.com the certificate would be
invalid?
This is what im talking about. They connected to haproxy which proxies
to postfix. Postfix says here is my cert submission.example.com. The
client says wait a minute im connected to haproxy.example.com.
I believe the standard solution is to use postfix and it's TLS support
directly, without any proxy.
Load balancing, so clients only have to be aware of a single hostname to
put into their email programs.
Sharing private keys between two servers is an extremely bad idea IMHO
I agree, which is why im asking for ideas to solve this correctly.
Then follow up question is what about SSL ports 993/995? Is that going
to be even more complicated?
Those are POPS and IMAPS (mandatory TLS).
They aren't used by Postfix.
You're right, that is a dovecot issue and i was getting ahead of myself.
