> On 19 May 2021, at 4:43 pm, post...@ptld.com wrote:
>
>> Don't misconfigure the client to connect to "haproxy.example.com", instead
>> publish a CNAME:
>> submission.example.com. IN CNAME haproxy.example.com.
>> Have the client connect to submission.example.com. The load
>> balancing in "haproxy" can be by IP address, or some alternative
>> names of the hosts, if haproxy wants to connect to hostnames.
>
> To my knowledge you can not create a certificate linked to an IP, it has to
> be a hostname.
I said nothing about certificates for IP addresses. The certificate
in question would be of course be for "submission.example.com".
The purpose of the CNAME is to ensure that TCP connections to
the server are made to the proxy instead.
> I do not see how making a CNAME removes the problem.
It aliases the server's hostname to the proxy. Clients connect to the
proxy thinking it is the server, and expect the server's certificate,
which the server will present, because the proxy is just doing layer 4.
> If i make it so the client connects to submission.example.com, then postfix
> server has to be renamed to something else like balanced1.example.com
You can call the underlying server whatever you want, including the
same name in fact, with the internal IP in /etc/hosts.
> Now the client connects to submission.example.com and is being given an
> certificate
> from balanced1.example.com. Same problem exist.
Why would you get a certificate for the internal name? That's
clearly silly. Get a certificate for the external name.
> Following your advice, i would have to create a certificate on the proxy
> server submission.example.com, then copy that certificate from the proxy
> server to the postfix server balanced1.example.com.
No you just have to also proxy port 443 as well as 587, and then
Let's Encrypt will issue a certificate for submission.example.com
to (one of the) underlying servers. To make that predictable,
assign just one server as the target for port 443. But you could
also arrange for multi-way rsync with newest timestamp wins.
> Just to make sure i understand you is that what you are telling me i should
> do?
Of course not.
--
Viktor.
