On 05-19-2021 4:52 pm, Viktor Dukhovni wrote:
It aliases the server's hostname to the proxy. Clients connect to the
proxy thinking it is the server, and expect the server's certificate,
which the server will present, because the proxy is just doing layer 4.
This is the part im not following you on.
Yes, the clients connect to the proxy, and they expect a certificate
from the proxy.
You said "which the server will present", which server? The proxy? No,
you said no TLS termination, just layer 4 pass through. So the postfix
server? That is what i assume. And the postfix server has a DIFFERENT
certificate created on the postfix server that does NOT match the proxy
server connection.
So if the client is connecting to the proxy, and is being given a cert
from postfix on a different server, how is that certificate going to
match the connection to be valid? This is the part im not understanding.
You said don't copy the cert from the proxy server to the postfix
server. So the cert on the postfix server is never going to match the
proxy connection.
