For archival purposes to anyone reading this in the future. The answer i
was looking for, and solution i ended up using to this problem:
1) On the haproxy.example.com server, i used certbot to issue a cert to
that domain.
2) I installed a SSH key on haproxy.example.com and copied to
authorized_keys on submission.example.com. (for passwordless rsync)
3) For auto renew i made a bash script on haproxy.example.com that runs
certbot renew and then rsync the cert directory in /live/ to
submission.example.com. Placed the script to run in crontab. Manually
run script once to get initial keys to back servers.
4) On submission.example.com servers add/change the following in
master.cf
submission inet n - n - - smtpd
-o { your normal options }
-o smtpd_upstream_proxy_protocol=haproxy
-o
smtpd_tls_cert_file=/etc/letsencrypt/live/haproxy.example.com/fullchain.pem
-o
smtpd_tls_key_file=/etc/letsencrypt/live/haproxy.example.com/privkey.pem
That's it, works for TLS from [Email Client] -> [haproxy] -> [submission
server] without client giving encryption warnings.
