Re: Submission behind haproxy, TLS issues

[Viktor Dukhovni]

> On 19 May 2021, at 5:03 pm, post...@ptld.com wrote:
> 
>> It aliases the server's hostname to the proxy.  Clients connect to the
>> proxy thinking it is the server, and expect the server's certificate,
>> which the server will present, because the proxy is just doing layer 4.
> 
> This is the part im not following you on.
> 
> Yes, the clients connect to the proxy, and they expect a certificate from the 
> proxy.

NO.  Client's are configured to connect to the server's name, which is
a CNAME for the proxy, so resolves to the proxy's IP address.  So at the
IP layer, the connection is *via* the proxy, but ultimately to the Postfix
server, which handles TLS (end-to-end).

> No, you said no TLS termination, just layer 4 pass through. So the postfix 
> server? That is what i assume. And the postfix server has a DIFFERENT 
> certificate created on the postfix server that does NOT match the proxy 
> server connection.

Why would the Postfix server have a "different certificate".
DON'T DO THAT.

-- 
        Viktor.