On Wed, Dec 07, 2022 at 11:51:32PM +0400, Sam wrote:
> I would like to run postfix in a docker container, and receive emails
> through HaProxy with SSL termination. So the setup I would like to
> achieve is:
It is generally preferrable to let Postfix do TLS-termination, so that
Postfix can be aware of the connection security properties, and e.g.
not offer SASL for cleartext connections.
Also, does "haproxy" support doing STARTTLS? On port 587 TLS does not
start at the beginning of the connection, but instead negotiated after
EHLO. I am not sure how haproxy handles that.
> Is that even possible?
Yes. Postfix supports cleartext SMTP. You'd have disable wrapper-mode
TLS on port 465, disable STARTTLS on port 587, and not require TLS for
submission or SASL.
> But why TLS termination at HaProxy specifically? Because the plan is to
> only keep HaProxy with root access on bare-metal (and access to
> certificates as root), while it wires all connections to internal ports.
I think you're optimising for the wrong security properties.
Containerised Postfix relies on much more fragile security boundaries
than Postfix running in a full VM.
I would not recommend this design.
--
Viktor.
