Disclaimer: I am not a network guru, but here is what I know.

WIth CNAME scenario you can't have more than one backend. Because HAProxy
acts as L4 (TCP) balancer, it has no idea which server you are trying to
connect to and which server's certificate you are waiting for.

It just sends your packets to some random backend.


When you install load balancer that acts as a front-end for the several
backends, you can:

1. Terminate TLS on it.
This is how people do HTTPS:
Client--<HTTPS>--LoadBalancer--<PLAIN_HTTP>--SomeRandomBackEndN

You can't use STARTTLS in this scenario because LoadBalancer is L4 (TCP)
not L7 (SMTP) hence it doesn't "speak" SMTP.

So, it COULD be
Client--<SMTPS>--LoadBalancer--<PLAIN_SMTP>--SomeRandomBackEndN
But I do not know if this scenario is supported.

2. Use SubjAltName certificate and terminate TLS on the backend.
Client: I want to connect to the haproxy.example.com
Haproxy (Silently sends all packets to the backend64)
Backend64: here is my cert. It is valid for Backend64 AND
haproxy.example.com

Client: I want to connect to the haproxy.example.com
Haproxy (Silently sends all packets to the backend42)
Backend 42 : here is my cert. It is valid for Backend42 AND
haproxy.example.com


3. Replace L4 (TCP) load balancer with L7(SMTP) load balancer and terminate
TLS there.
This load balancer is called Postfix:)

You install postfix instead of HAProxy.

It accepts emails, speaks TLS (along with STARTTLS), and provides it's
certificate.
Everything works.

Then, it forwards emails to the backends via $relayhost:

relayhost = backend1:587, backend2:587,  backend3:587,  backendN:587
http://www.postfix.org/postconf.5.html#relayhost

I am for the third solution.

Reply via email to