On 05-19-2021 3:28 pm, IL Ka wrote:
Why forward it via haproxy?
What is wrong with postfix connected to the public IP?

Load balancing.

+--------------+
| email client |
+--------------+
       |
+--------------+
| haproxy      | ---------+
+--------------+          |
       |                  |
+--------------+   +--------------+
| submission 1 |   | submission 2 |
+--------------+   +--------------+


If you use haproxy TLS support, then you do not need postfix TLS.
You can use mandatory (autostarted TLS) on haproxy and terminate it there like
client---<TLS>---haproxy---<PLAN>--postfix

Okay, i will explore doing it that way. Turn on TLS in haproxy and disable it in postfix. But if i do that then don't i prevent clients who dont TLS from connecting?


I run postfix with opportunistic TLS support for :25 and mandatory for submission. And it works.

I am only doing this for submission:587 and letting MX records balance port 25.


I wonder how you installed letsencrypt cert to the submission server
Does it have public IP and shares name with haproxy?

Yes every server has a public IP and FQDN hostname, i just created a cert in --standalone mode. No the public doesn't see the submission server hostname because they are connecting to haproxy. The servers don't share hostname, just top level domain like haproxy.example.com and submission.example.com.


My understanding is the user's client connects to haproxy server, which allows them to communication with the submission server, who gives them the submission server TLS info which the client wants to verify against
the haproxy server connection.

I didn't get this part.

Maybe i don't fully understand how certs work, aren't they linked to a hostname? If you made a cert on submission.example.com then moved it to the haproxy.example.com server would it still work? Doesn't the client validate the certificate host against the connection? Wouldn't they see the cert is only valid for submission.example.com and since they are connected to haproxy.example.com the certificate would be invalid?

This is what im talking about. They connected to haproxy which proxies to postfix. Postfix says here is my cert submission.example.com. The client says wait a minute im connected to haproxy.example.com.


I believe the standard solution is to use postfix and it's TLS support directly, without any proxy.

Load balancing, so clients only have to be aware of a single hostname to put into their email programs.


Sharing private keys between two servers is an extremely bad idea IMHO

I agree, which is why im asking for ideas to solve this correctly.


Then follow up question is what about SSL ports 993/995? Is that going
to be even more complicated?

Those are POPS and IMAPS (mandatory TLS).
They aren't used by Postfix.

You're right, that is a dovecot issue and i was getting ahead of myself.


Reply via email to